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Abstract 

Recent works have shown the power of linear indexed type systems 
for enforcing complex program properties. These systems combine 
linear types with a language of type-level indices, allowing more 
fine-grained analyses. Such systems have been fruitfully applied 
in diverse domains, including implicit complexity and differential 
privacy. 

A natural way to enhance the expressiveness of this approach 
is by allowing the indices to depend on runtime information, in 
the spirit of dependent types. This approach is used in DFuzz, a 
language for differential privacy. The DFuzz type system relies on 
an index language supporting real and natural number arithmetic 
over constants and variables. Moreover, DFuzz uses a subtyping 
mechanism to make types more flexible. By themselves, linearity, 
dependency, and subtyping each require delicate handling when 
performing type checking or type inference; their combination 
increases this challenge substantially, as the features can interact in 
non-trivial ways. 

In this paper, we study the type-checking problem for DFuzz- We 
show how we can reduce type checking for (a simple extension of) 
DFuzz to constraint solving over a first-order theory of naturals and 
real numbers which, although undecidable, can often be handled in 
practice by standard numeric solvers. 

Categories and Subject Descriptors F.3.3 [Studies of Program 
Constructs]'. Type structure 

Keywords type checking, type inference, linear types, subtyping, 
sensitivity analysis 

1. Introduction 

Linear indexed type systems have been used to ensure safety proper¬ 
ties of programs with respect to different kinds of resources; exam¬ 
ples include usage analysis [24, 25], implicit complexity [4, 5, 14], 
sensitivity analysis [10, 23], automatic timing analysis [12, 13], 
and more. Linear indexed types use a type-level index language to 
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describe resources and linear types to reason about the program’s 
resource usage in a compositional way. 

One limitation of such systems is that resource usage is inferred 
independently of the control flow of a program—e.g. the typing 
rule for branching usually approximates resources by taking the 
maximal usage of one of the branches, and recursion imposes even 
greater restrictions. To improve this scenario, some authors have 
proposed extending such systems with dependent types, using type 
indices to capture both resource usage and the size information of a 
program’s input. This significantly enriches the resulting analysis by 
allowing resource usage to depend on runtime information. Linear 
dependently typed systems have been used in several domains, 
including implicit complexity [4, 16] and sensitivity analysis [10]. 

Of course, there is a price to be paid for the increase in expres¬ 
siveness: type checking and type inference become inevitably more 
complex. In linear indexed type systems, these tasks are often done 
in two stages: a standard Hindley-Milner-like pass, followed by 
a constraint-solving procedure. In some cases, the generated con¬ 
straints can be solved automatically by using custom algorithms [17] 
or off-the-shelf SMT solvers [7, 13]. However, the constraints are 
specific to the index language, and richer index languages often lead 
to more complex constraints. 

Type-checking DFuzz 

In this paper we will focus on the type-checking problem for 
a particular programming language with linear dependent types: 
DFuzz [10], a dependently-typed extension of the Fuzz programming 
language [23]. 

Fuzz uses linear indexed types to reason about programs in the 
context of differential privacy. Its indices are real numbers that 
provide upper bounds on the sensitivity of a program, a quantity 
that measures the distance between outputs on nearby inputs. In this 
setting, type checking and inference result in a simple but effective 
static analysis for function sensitivity. Indeed, as shown by D’Antoni 
et al. [7], both of these can be performed efficiently by using an 
SMT solver to discharge the numeric proof obligations arising from 
the type system. 

While Fuzz works well on a variety of simple programs, it has 
a fundamental limitation: sensitivity information cannot depend 
on runtime information, such as the size of a data structure. This 
is what DFuzz is designed to handle. DFuzz indices combine 
information about the size of data structures with information 
about the sensitivity of functions. Technically, this is achieved by 
considering an index language with variables ranging over integers 
(to refer to runtime sizes) and reals (to refer to runtime sensitivities). 
This richer index language, combined with dependent pattem- 
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matching and subtyping, achieves increased expressiveness in the 
analysis, providing sensitivity bounds beyond Fuzz’s capabilities. 

However, adding variables to the index language has a significant 
impact on the difficulty of type checking. Concretely, since the index 
language also supports addition and multiplication, index terms are 
now polynomials over the index variables. Instead of constraints 
between real constants like in Fuzz, type checking constraints in 
DFuzz may involve general polynomials. 

A natural first approach is to try to extend the algorithm proposed 
by D’Antoni et al. [7] to work with the new index language by 
simply generating additional constraints when dealing with the 
new language constructs. This would be similar in spirit to the 
work of Dal Lago et al. [6] for type inference for dfPCF, a 
linear dependently typed system for complexity analysis. A crucial 
difference between that setting and DFuzz is that the index language 
of df PCF can be extended by arbitrary (computable) functions. This 
makes the approach to type inference for dfPCF proposed by Dal 
Lago and Petit the most natural, since such functions can be used as 
direct solutions to some of the introduced constraints. 

However, such an approach does not work as well for DFuzz, 
which opts for a much smaller index language. While it may be 
possible to extend DFuzz’s index language with general functions, 
we opt to keep the index language simple. Instead, since the type 
system of DFuzz also supports subtyping, we consider a different ap¬ 
proach inspired by techniques from the literature on subtyping [21] 
and on constraint-based type-inference approaches [15, 19, 22]. 

The main idea is to type-check a program by inferring some set 
of sensitivities for it, and then testing whether the resulting type is 
a subtype of the desired type. To obtain completeness (relative to 
checking the subtype), one must ensure that the inferred sensitivities 
are the “best” possible for that term. Unfortunately, the DFuzz index 
language is not rich enough for expressing such sensitivities. For 
instance, some cases require taking the maximum of two sensitivity 
expressions, something that cannot be done in the language of 
polynomials. We solve this problem by extending the index language 
with three syntactic constructs, resulting in a new type system that 
we name EDFuzz- This new system has meta-theoretic properties 
that are similar to those of DFuzz, but also simplifies the search 
for minimal sensitivities. Using these new constructs, we design a 
sensitivity-inference algorithm for EDFuzz which we show sound 
and complete, modulo constraint resolution. 

We now face the problem of solving the constraints generated 
by our algorithm. First, we show how to compile the constraints 
generated by the algorithmic systems to constraints in the first-order 
theory over mixed integers and reals. This way, we can still use 
a numeric solver without resorting to custom symbolic resolution. 
Unfortunately, the presence of natural numbers in the constraints 
has important consequences: we show that DFuzz type-checking is 
undecidable by reducing from Hilbert’s tenth problem, a standard 
undecidable problem. 

While this result shows that we can’t have a terminating type- 
checker that is both sound and complete, not everything is lost. 
We first show that by approximating the constraints, we obtain a 
sound and computable method to type-check EDFuzz programs. We 
show that this procedure can successfully type-check a fragment of 
EDFuzz which we call UDFuzz', almost all of the examples proposed 
by Gaboardi et al. [10] belong to this class. Of course, UDFuzz is a 
strict subset of EDFuzz, and it is not hard to come up with well-typed 
programs in EDFuzz that are invalid under UDFuzz- 

Finally, we present a constraint simplification procedure that 
can significantly reduce the complexity of our translated constraints 
(measured by the number of alternating quantifiers), even when 
checking full EDFuzz- 


Contributions 

We briefly overview the DFuzz programming language in Section 2, 
to move to an informal exposition of the main challenges involved 
in Section 3. Then, we present the main contributions of the paper: 

• EDFuzz- an extension of DFuzz with a more expressive sensitiv¬ 
ity language that gives programs more precise types (Section 4); 

• a sound and complete algorithm that reduces type checking and 
sensitivity inference in EDFuzz to constraint solving over the 
first-order theory of N and R (Section 5 and Section 6); 

• a proof of undecidability of type checking in DFuzz (and 
EDFuzz) (Section 7); 

• a sound translation from the previous type-checking constraints 
to the first-order theory of the real numbers, a decidable theory 
(Section 8.1); and 

• a simplification procedure to make the constraints more amenable 
to automatic solving (Section 8.2). 

Additionally, we have developed a prototype implementation of 
the above, which we discuss in Section 9. 

2. The DFuzz System 

DFuzz [10] is a language for writing and verifying differentially 
private programs. At its core lies a type system for tracking function 
sensitivity: 

Definition 1. Given two metric spaces X,Y, the sensitivity (or 
Lipschitz constant) of a function f ■- X ^ Y is a number k such 
that dvifix), f{x')) < kdx(x,x') for all x,x' € X- In this case, 
we say that f is k-sensitive (or k-Lipschitz continuous)- 

The precise relationship between differential privacy and func¬ 
tion sensitivity is beyond the scope of this paper; we refer the reader 
to previous work [10, 23] for more information. What is important 
for present purposes is that DFuzz uses a linear dependently-typed 
system for analyzing function sensitivity. Let us begin with a brief 
presentation of DFuzz before discussing the type-checking chal¬ 
lenges. 

2.1 Syntax and Types 

DFuzz is an extension of PCF with dependent indexed linear types. 
Indices consist of numeric constants; index-level variables, which 
range over sizes (natural numbers) or sensitivities (positive reals 
extended with oo, denoted S); and addition and multiplication of 
indices. The syntax of DFuzz, including types, terms, and the index 
language, is shown in Figure 1 , which we briefly overview. Here, we 
omit some features of the original system to keep our presentation 
simple. 

• Abstraction and application for index variables are captured by 
the A-i ■- K-e and e[77] terms, with k representing the kind for i- 
We refer to variables of kind n as size variables, while variables 
of kind r are sensitivity variables- 

• Singleton types N[S] and R[i?] are used to related type-level 
sizes and sensitivities with term-level sizes and sensitivities. 

• Dependent pattern matching over MIS'] types is captured by the 
case construction. 

• Linear functions indexed by R are written lijcr ^ r. 

• Variable environments F carry an additional annotation for 
assignments x a, representing the current sensitivity R 
for the variable x- 

• Index variable environments f specify the kinding of index 
variables. 
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K : 

:= 

r 1 n 

(kinds) 

S : 

:= 

U {cxd} (extended positive reals) 

5 : 


i 1 0 1 5-b 1 

(sizes) 

R : 

:= 

S|7|5|7?-f7?|7?-7? 

(sensitivities) 

0,T 

:= 

R 1 R[7?] 1 N[5] \\ro^t 

(types) 


1 

'(Ji ■. K. O \ O ® T \ O Si T 


e : 

:= 

X 1 N 1 s e 1 R-° 1 fix (x : o).e 

(expressions) 


1 

Ax :[ji] o.e ei 62 



1 

Ai : K. e 1 e[7?] 



1 

(ei, 62 ) TTi e 



1 

(ei, 62 ) 1 let (x, y) = e in e! 



1 

case e of 0 =► eo | n[i] 3- 1 => Cs 


F,A : 

:= 

0 1 F,x :rHi (7 

(environments) 

: 

:= 

% \ cj>,i ■. K (sens, environments) 

: 

:= 

T|$,5 = 0|<F,5 = i-bl 

(constraints) 


Figure 1. DFuzz Types and Expressions 


• Constraint environments 'F store assumptions introduced under 
dependent pattern matching. Often, we will think of a constraint 
environment as the conjunction of its constraints. 

2.2 Environment Operations 

As in many similar systems, DFuzz defines operations on variable 
environments. Specifically, we can add two environments F, A, 
and scale a single environment F can by a sensitivity expression 
R. We define environment multiplication i? • F as the operation 
taking every element Xi :[r;] (Ji of F to Xi '-[R-n] <^i- Environment 
addition is defined iff all the common assignments of F, A map 
to the same type, that is to say, forall Xi in dom(F) n dom(A), 
(®i -[fli] £ r {xi :[S;] cTi) G A, where we write dom(F) 

for the domain of an environment. In this case: 

F + A = {xi :[i{.+s.] (7 I Xi G dom(F) n dom(A)} 

U {xj cTj I Xj G dom(F) — dom(A)} 

U {xk (Zk \xk e dom(A) - dom(F)} 


2.3 Subtyping 

DFuzz has a notion of subtyping, which intuitively comesponds to a 
standard property of function sensitivity: a fc-sensitive function 
is also fe'-sensitive for all k' > k. Furthermore, subtyping in 
DFuzz is the mechanism that allows types to use information from 
the constraint environment; in this use, subtyping allows a form 
of type coercion. We consider here a slightly simpler definition 
of subtyping than the one used in Gaboardi et al. [10]. In the 
environments we require subtyping to preserve the internal type. 
This slight modification will allow us to simplify some rules of the 
type-checking algorithm. 

The semantics of the subtying relation is defined by interpreting 
sensitivity expressions as functions that produce sensitivity values. 
Formally, let i? be a sensitivity expression, well-typed under envi¬ 
ronment (j), and p a suitable variable valuation (i.e., a function that 
maps each variable i : k in <;!) to an element of Jk] , with Jn] = N 
and |[r| = S). We then define |T?|p as follows: 


IoIp 

:= 0 

|[5 + l|p 

■— I'S'Ip + 1 

Wp 

:= p{i) i a variable 

Wp 

:= r r a constant 

[[7?i 3- 7?2j|p 

:= I7?i1p + I7?2Ip 

IRi ■ R2h 

I^iilp • Ii?2lp 


Then, the standard ordering > on S induces an ordering on index 
terms, which we can then extend to a subtype relation C on types 


$ 1= (j C cr 


C-Refl 


(j)\^ \= o' ^ a cj)\^ \= T 
\= o Si T ^ o' Si t' 

\= o ^ o' (^i; 1= T C 

(f)\ ^ \— O (g) T ^ o' (g) t' 


(C.&) 
(C .(g)) 


(j)\ \= o' ^ o (/); <1> 1= r C 

0; 'F ^ \ro ^ t C \rio' ^ t' ~ 


(/), f:K;'l?^(TCr i fresh in (j> 
$ 1= Vi : K. (T C Vi : K. r 


-V) 


V(x -.[Ri] o) £ A, 37?, {x :[H] cr) e F A (0; $ |= Ri > R'i) 

-^^- , „ -:-^ L-Env 

</>;<!> 1= F C A 


Figure 2. DFuzz Subtyping Relation 


and environments; the rules can be found in Figure 2. Note that 
checking happens under the current constraint environment <1?, so 
subtyping may use information recovered from a dependent match. 

The leaves of the subtype derivation are assertions 0; |= 7?i > 

7?2. These are defined logically as 

Vp e val(^).I<I.lp ^ I7 ?iIp > I7?21p, 

where va !((/>) is the set of all valid valuations for environment (j), 
and Jtlilp is the conjunction of the denotations of each formula in 
$, defined the usual way. 

2.4 Typing 

Typing judgments for DFuzz are of the form 
(/i; "I? I F h e : (T 

meaning that term e has type o under environments (f) and F and 
constraints $; full rules are shown in Figure 3. 

We highlight here just the most complex rule, the dependent 
pattern-matching rule (NT?), which allows each branch to be typed 
under different assumptions on the type NIS'] of the scrutinee (e). 
The left branch eo is typed under the assumption 5 = 0, while the 
right branch Bs is typed under the assumption 5 = 7 -I- 1 for some i. 
Combined with the rule for fixpoints (Fix), this allows us to express 
programs whose sensitivity depends on the number of iterations 
or number of input elements. These rules also require implicitly 
that all sensitivity (and size) expressions be well-typed under the 
appropriate environments, which we note (f)\- R. Readers interested 
in more details can consult Gaboardi et al. [10]; we follow their 
presentation closely except for a few points, which we detail in the 
Appendix. 

2.5 Examples 

We close the overview of DFuzz with some examples, to give an idea 
of the increase in expressiveness brought by dependent types. We 
take the liberty of including some features that were not introduced 
before to make the examples more interesting. 

We begin by considering multiplication of a real number by 
a natural number. Without dependent types, the best type we can 
assign to multiplication is !ooN ^ !ooR ^ R, which is not very 
informative. However, thanks to dependent types we can introduce 
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Figure 3. DFuzz Typing Rules 


a scaling primitive with the following type: 

X : Vi : n. !tx>N[i] ^ !iR ^ R 

By partially applying this operator, we obtain a scaling function 
with the appropriate sensitivity, e.g. 

(3 X —) : IsR ^ R. 

DFuzz uses probability distributions for differential privacy. The 
type system includes a primitive for adding noise drawn from the 
Laplace distribution to its input, with the following type: 

add_noise : Ve : r.lsR ^ OR 

where OR is the type of probability distributions over R. Here, 
6 is a parameter for controlling the amount of added noise. This 
noise determines how “far apart” the resulting distributions will 
be; as it turns out, given the distance function used for probability 
distributions in DFuzz, this results in an e-sensitive function. 

Finally (and more interestingly), the standard map function on 
lists is given the following type in DFuzz'- 

map : Vi R cr r.!i(!_Rcr t) ^ !_Rlist(cr)[i] list(r)[i] 

Here, list(cr) [i] is the type of lists of elements of some type g with 
length equal to i. Because we have length-indexed lists, we can 
correctly track the sensitivity of map on its function argument, 
which is precisely the length of its list argument. Fuzz, in contrast, 
would require us to replace i by cx). 

3. The Challenge of Type-checking Linear 
Dependent Types 

Type-checking a language with linear indexed types presents several 
challenges, which are only compounded when dependent types and 
subtyping are added to the mix. In this section, we take a closer look 
at these challenges. 


3.1 To Split, or not to Split? 

The first problem we face is due to linearity. Given a term and 
an environment, we need a way to “split” the environment into 
appropriate subenvironments that can be used in the recursive calls 
to type-check subterms. 

Automatically inferring the right environments in our setting is 
difficult, due to the index language for DFuzz- Indeed, index terms 
are polynomials over index variables, which may range over the 
reals or the naturals. For instance, we may know that a particular 
variable x has sensitivity -F 3 in our environment. However, 

it is not clear how to split such sensitivity information between two 
environments that share the variable x- In fact, as we will show 
below, in general it is not always possible to find a split. One might 
hope to simplify the type-checking task by requiring the programmer 
to provide a few type annotations, like in non-linear type systems. 
Unfortunately, this approach is impractical for the splitting problem 
because the annotations must describe the split for every variable 
binding in the environment! 

To better understand this obstacle, let us consider two general 
approaches to type-checking linear type systems, which we call the 
top-down and bottom-up strategies. 

The Downfall of Top-Down 

For the type-checking problem, suppose we are given the environ¬ 
ment F, a term e, and a purported type g- The goal is to decide if 
F F 6 : (7 is derivable. The top-down strategy takes an environment 
and a term, and attempts to partition the environment and recursively 
type the subterms of 6. 

The main difficulty of this approach centers around splitting the 
environment, a problem that is most clear in the application rule. 
Here is a simplified version: 

T \- f \\rg ^ T Ahe:f7 
r + 7?-Ah/e:r 
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So given a type-checking problem E h / e : a' our first difficulty is 
to pick R, r, and A such that E = F -|- i? • A. We could try to guess 
R, but unfortunately it may depend on the choice of F. Since our 
index language contains the real numbers, the number of possible 
splittings isn’t even finite. 

A natural idea is to delay the choice of this split. For instance, we 
may create a placeholder variable R and placeholder environments 
F', A', asserting E = F' + i? • A' and recursively type-checking / 
and e. After reaching the leaves of the derivation, we would have a 
set of constraints whose satisfiability would imply that the program 
type-checks. 

Unfortunately, the constraints seem difficult to solve due to the 
syntactical nature of our indices. In other words, the “placeholder 
variables” are really meta-variables that range over index terms, 
which could potentially depend on bound index variables. In order 
to prove soundness of such a system with respect to the formal 
typing system, the solver must return success only if there is a 
solution where all the meta-variables can be instantiated to an index 
term—a syntactic object. This is at odds with the way most solvers 
work— semantically —finding arbitrary solutions over their domain. 
It is not clear how to solve these existential constraints automatically 
for the specific index language of DFuzz- 

The Rise of Bottom-Up? 

A different approach is a bottom-up strategy: suppose we are again 
given an environment F, a term e, and a type cr, and we want to 
check if F h e : (T is derivable. The main idea is to avoid splitting 
environments by calculating the minimal sensitivities needed for 
typing each subexpression. For each typing rule, these minimal sen¬ 
sitivities can be combined to find the resulting minimal sensitivities 
for e. Once this is done, we just need to check whether these optimal 
sensitivities are compatible with F and a via subtyping. 

Let’s consider how this works in more detail by analyzing a 
few important cases. At the base case, we type-check variables 
in a minimal environment (that is, empty but for the variable) by 
assigning it the minimal sensitivity required: 


X '.[i] a \- X : a 

Recall that we have weakening on the left so can add non-occurring 
variables to the environment later. 

Now, the key benefit of the bottom-up approach becomes evident 
in the application rule: we can completely avoid the splitting 
problem. When faced with a type-checking instance E h / e : (t, 
we recursively find optimal F, R, and A for checking / and e; then, 
checking that E C F -|- i? ■ A suffices. 

Unfortunately, things don’t look so easy in the additive rules. 
Let’s examine the introduction rule for &: 

F h ei : (Ti F h 62 : 0-2 
F h (ei, 62 ) : (Ti & (72 

This rule forces both environments to have the same sensitivities, 
but the bottom-up idea may infer different environments for each 
expression: 

Fil-ei:cri F 2 Fe 2 :cr 2 
E? h (ei, 62 ) : cri & (T 2 

Now we need to guess a best environment E?, but the DFuzz 
sensitivity language is too weak to express this value. For instance, 
if we consider sensitivity expressions and r depending on 
a sensitivity variable r, we can show that there is no minimal 
polynomial upper bound for them under the point-wise order on 
polynomials*. 

' Indeed, it can be seen that DFuzz does not possess minimal types. Refer to 
the Appendix for a more detailed proof. 


To maintain the minimality invariant, we can extend the sen¬ 
sitivity language with a new syntactic construct max(i?i, i? 2 ) 
for sensitivity-inference purposes only, which should denote the 
maximum of two sensitivity values. We could then safely set 
E? := max(Fi, F 2 ), where the expression combines sensitivities 
for the bindings on both environments as expected. 

However, there is a problem with this approach: the resulting 
algorithm is not sound with respect to the original type system, 
because it allows more terms to be typed even when sensitivities in 
the final type do not mention the new construct! To see this, assume 
that our algorithm produces a derivation F' h e : cr' using extended 
sensitivities. Now, soundness amounts to showing that for all F, a 
mentioning only standard sensitivities such that F C F' and cr' C cr, 
there exists a typing derivation F h e : cr that uses only the original 
sensitivity language. Let’s try to sketch how this proof would work 
by restricting our attention to a particular instance of the application 
rule: 

(;/);0 I 0 h / : Ifl^cr-o r 0 | x ^ h e : cr 

0 I ® p\- f e-.r 

where Rx is an extended sensitivity expression. By induction, we 
know that for all standard sensitivity expressions Rx such that 
Rx > Rx, we can obtain a standard derivation x '.[r^] p \- e : a. 
We also have standard Rxf such that Rxf > Rf ■ Rx - Thus, all we 
need to do is to calculate from Rf, Rxf standard sensitivities R'f, 
R'x to be able to apply both induction hypotheses. The following 
result shows that this is not always possible. 

Lemma 2. Given standard sensitivities expressions Rxf, Rf and 
an extended sensitivity expression Rx such that Rxf > Rf ■ Rx, it 
is not the case that one can always find standard R'f, R'x such that 
Rxf ^ R'f • R'x F R'f > Rf A R'x > Rx- 

Proof. Take Rxf = + 1, Rf = r and Rx = max(2, r). As we 

can see, we have -I- 1 > r • max(2, r), with equality iff r = 1. 
Suppose there exist standard sensitivity expressions R'f, R'x that 
satisfy the statement. Because R'f > r and R'x > max(2, r), we 
know by asymptotic analysis that the degree of R'f and R'x must be 
at least 1. Furthermore, because -f 1 > R'j- - R'x, their degree must 
be exactly 1, with leading coefficient equal to 1. Write R'f = r a 
and R'x = r-\-b, where a, b are positive constants. The lower bound 
on R'x implies b> 2. For r = 1, we have R'f - R'x > 3a -|- 3 > 3. 
However, the lower and upper bounds for R'f - R'x coincide at that 
point, forcing R'f - R'x = 2; contradiction. Thus, no such R'f, R'x 
can exist. □ 

It is not hard to adapt the above into a counterexample for the 
soundness of the algorithm with respect to the original system. 
However, we can recover soundness by extending the sensitivity 
language for the basic typing rules as well. 

3.2 Avoiding the Avoidance Problem 

After the addition of least upper bounds for sensitivities, the bottom- 
up approach is in a good working state for the basic system. However, 
other constructs in the language introduce further challenges. In 
particular, let’s examine a simple version of the abstraction rule for 
sensitivity variables: 

(pji : K \ T \- e : a i fresh in F 
()> I F h Ai : K. e : Vi : K. (T 

When this rule is interpreted in a top-down approach, usually no 
problem arises; we would just introduce the new sensitivity variable 
and proceed with type checking. 
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However, when the type-checking direction is reversed, we hit a 
version of the avoidance problem [8, 11, 1 8]. The avoidance problem 
usually appears in slightly different scenarios related to existential 
types, and could be informally stated as finding a best type free of a 
particular variable. In our case, we must find the “best” T free of i. 
It may not be obvious how i could have been propagated to T, but 
indeed, a function / in e could have a type such as \i(T ^ r, and 
applying / will introduce i into the environment in the bottom-up 
approach. 

Fortunately, in our setting, we can easily solve the avoidance 
problem by further extending the sensitivity language. The “best” 
way of freeing a sensitivity expression i? of a variable i is to take 
the supremum of R over all possible values of i, which we denote 
by sup(i, RY. Then, the minimal environment is sup(i, T), where 
the supremum is extended to each binding in the environment. 

3.3 Undependable Dependencies 

The last case to consider in our informal overview is case, also 
referred as dependent pattern matching. 

The dependent pattern matching can be considered as a special 
case of the two previous difficulties. Like the least upper bound, 
we must compute a least upper bound of the resources used in 
two branches. However, now the information coming from the 
successor branch may also contain sensitivities depending on the 
newly introduced refinement variable, which cannot occur in the 
upper bound; similar to the avoidance problem we just discussed. 
On top of that, information coming from both sides is conditional 
on the particular refinements induced by the match, so any new 
sensitivity information that we propagate cannot really depend on 
the refinements. 

We now face a choice: we can introduce refinement types over 
sensitivity and size variables of the form {cr | P{i)}, which would 
allow us to express the sensitivity inference for case in term of 
the least upper bound and supremum operations. However, we take 
a simpler path and add a conditional operator on natural number 
expressions S, case(5, Ro, i, Rs), interpreted as Ro if S' is 0 or 
Rs[i 1-^ S- 1] if S > 1. 

In the next sections we proceed to formally introduce the ex¬ 
tended sensitivities and its semantics; we discuss the type-checking 
algorithm, which depends on solving inequality constraints over the 
extended sensitivities; and we study several approaches to constraint 
solving and discuss decidability issues. 

4. Extended DFuzz: EDFuzz 

We define a conservative extension to DFuzz s, type system, EDFuzz, 
which is basically DFuzz with an extended sensitivity language for 
the indices. We summarize the new sensitivity terms, ranged over 
by meta-variable i?: 

• max(i?i, i ?2 ) is the pointwise least upper bound of sensitivity 
terms Ri,R 2 . 

• sup(*, R) is the pointwise least upper bound of R over all i. 

• case{S, Ro, i, Ra) is the conditional function on the size ex¬ 
pression S that is valued Ro when S = 0, and [i i—5 — 1] 
when 5 is a strictly positive integer. 

The semantics of extended terms is defined as follows. 


^Contrary to max(—,—), it would have been possible to define this 
constmct as a function over sensitivity expressions, without the need to 
extend their syntax. This would still be true even after introducing index-level 
case sensitivity expression for analyzing dependent pattern matching. As the 
translation is somewhat intricate and leads to more complex constraints, we 
chose to add it directly to the syntax of sensitivity expressions. 


Definition 3 (Extended sensitivity semantics). We extend the se¬ 
mantics of sensitivities to the new constructs in the following way 
(the old cases stay the same): 


|[sup(i : 

|[max(.Ri, .R 2 )]p 
|[ case(S', Ro,i,Rs)lp 


■■= sup {|[.RlpU[i=r.]} 

l-g[Kl 


max(|[.Ri]lp, |[i?2lp) 

I IRojp if 

\ I-^s]]pU[t —ri—1] if 


IsIp = 0 

ISjp = n > 1. 


We define analogous operations on environments in the obvious 
way. For instance, if x cr £ Fi and x :[ji 2 ] ^ ^ ^ 2 , then 
X. :[max{fli,fl 2 )] ^ ^ max(ri,r 2 ). As previously, two-argument 
operations on environments are only defined when every variable 
that is bound on both environments is assigned the same type by 
them. 

It is not hard to show that any derivation valid in DFuzz remains 
valid in EDFuzz- Furthermore, DFuzz’s metatheory only relies on 
sensitivity terms having an interpretation as total function from free 
variables to a real number, rather than on any specific property about 
the interpretation itself. The extended interpretation is total, and 
hence the metatheory of DFuzz extends to EDFuzz- 


5. Type Checking and Inference 

We present a sound and complete type-checking and sensitivity- 
inference algorithm for EDFuzz- The algorithm assumes an oracle 
for deciding the subtyping relation; in this sense, our algorithm is 
relatively complete. We defer discussion about solving subtyping 
constraints to the next section. 

The type-checking problem for EDFuzz is the usual one: given 
a full context, term, and type, the goal is to check if there is a 
derivation deriving the type from the context. 

Definition 4 (Type Checking). Given an environment F, a term e, 
a type cr, the type-checking problem/or EDFuzz is to determine 
whether a derivation 0; 0 | F F e : cr exists- 

Before we move to sensitivity inference, we introduce some 
notation for working with contexts. It will be convenient to work 
with contexts with no top-level annotations, i.e., contexts with 
bindings (a; : cr), where cr is a proper EDFuzz type. We will call such 
contexts context skeletons- For notation, F will mean the context F 
with all top-level annotations removed, while F* will represent an 
arbitrary context skeleton. 

In our context, sensitivity inference means inferring the sensitiv¬ 
ity annotations in both an environment and a type. The input is an 
annotated term^ and a context with without top-level annotations. 
The goal is to reconstmct a type for the term, a full proper EDFuzz 
context (e.g., with all top-level annotations) along with a derivation, 
if possible. 

Definition 5 (Sensitivity Inference). Given an environment skeleton 
r* and a term e, the sensitivity-inference problem is to compute an 
environment F and a type a with a derivation o/0; 0 | F F e : ct, 
such that F = F*. 

5.1 The Algorithm 

We can fulfill both goals using an algorithm that takes as inputs 
a term e, an environment free of sensitivity annotations F* and a 
refinement constraint <&. The algorithm will output an annotated 
environment A and a type cr. We write a call to the sensitivity 
inference algorithm as: 

=> A;cr. 


^ We discuss annotations in Section 5.2 
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)i;cE>;r*;r Ectx(r*);I 


(Const) 


n = fSj 


Ectx(r*);N[S'] 


(Constrj) 


6; $; r*, a; : cr; X => Ectx(r*), x :[i] cr; a 

(t>\ r*; ei =4> E; !ijcr -o r 

4>\ A*; 62 => A; cr' 

$ 1 = cr' C cr 


(Var) 


4>-, r*, X : cr; e =» r, X :[h'] cr; r 

4>-,^\= R> -R'nt 

(j>\ A(x :[_B] cr). e => E; l^jcr -o r 


H I) 


A; <E>; E*; ei 62 E + i? • A; r 
(j>,i : k; $; E*; e => E; cr 


‘E;E*; Ai : k. e => sup(i,E);Vi : k. a 

((g)/) 


H E) 
(V/) 


(Fix) 


(VE) 


(j)\ <0; E*; 61 Ei; cri 

(j)\ <0; E*; 62 E 2 ; 02 


6;'1';E*;(6i, 62) => Ei +E2;cri ® (J 2 


6 ; $; E*; 61 ==> Ei; m 
6 ; $; E*; 62 => E 2 ; (J 2 


<^;$;E*,x : cr;6 E,x ([h] cr; cr' 

(j)\ ^ \= a' ^ a 

6; $; E*; fixx : ct. 6 : ct 00 • E; ct 

;/,;$;r*;6 ^ E;Vi : K. cr <j)\=S-.K 
<(>;$;E*;6[,S] =^E;a[^/i] 

4>\ <E>; E*; 6 A-,a^T 

(?!); <E; E*, X : cr, y : r; e' =» E, X cr, y r; 

(j)-, $; E*; let(x, y) = 6 in e => E + max(/?iQ^, /? 2 nt) ■ M 

(j>\ $; E*; 6 => E; cri & (72 


{®E) 


<(>;$; E*; ( 61 , 62 ) => n 

0;$;r*;6=^E;N[S] 

4,;$;r*;s6^E;N[S + l] 


c(Ei,E2);cri & (72 


(& I) 


()i;$;E*;7ri6 E;cri 


(& E) 


(S 7) 


0; -E; E*; 6 A; N[5] <)>;$, S' = 0; E*; 60 Eo; no 

0,i : n;<E>,S = i + l;E*,x : N[i];6s => E,,,x :[_r/] N[i];crs 
0; "E, S = 0 1= cro C CT <(), i : n; <E, S = i + 1 1= CTs C CT 
4>\ $; E*; case e return cr of 0 1 —>■ 60 | X[i] + 1 1 —>■ 6 s 
=> case(S, Eo, i, Es) + case(S, 0, i, R' o'[) ■ A; a 


(N E) 


Figure 4. Algorithmic Rules for EDFuzz 


Figure 4 presents the full algorithm in a judgmental style. The 
algorithm is based on a syntax-directed version of DFuzz that enjoys 
several nice properties; full technical details and notation definitions 
can be found in the Appendix. Flere, we just sketch how the 
transformation works in the proofs of soundness and completeness. 

Theorem 6 (Algorithmic Soundness). Suppose ());<E;E *;6 => 
E; CT. Then, there is a derivation of 4>’, $ | E F 6 : ct. 

Proof. We define two intermediate systems: The first one internaliz¬ 
ing certain properties of weakening and a second, syntax-directed. 
The algorithm is a direct transcription of the syntax-directed system 
and soundness can be proved by induction on the number of steps. 
We prove soundness of the syntax-directed system by induction on 
the syntax-directed derivation. □ 

Theorem 7 (Algorithmic Completeness). If (f)\^ \ T \- e \ a is 
derivable, then (^; $; E; 6 E'; cr' and ()i; $ |= E C E' A cr' C cr. 

Proof. We show that a “best” syntax-directed derivation can be 
build from any standard derivation by induction on the original 
derivation plus monotonicity and commutativity properties of the 
subtype relation. Completeness for the algorithm follows. □ 

5.2 Removing Sensitivity Annotations 

We briefly discuss the role annotations play in our algorithm. DFuzz 
programs have three different annotations: the type of the argument 
for lambda terms (including the sensitivity), the return type for case, 
and the type for fixpoints. 


The sensitivity annotations ensure that inferred types are free of 
terms with extended sensitivities. This is useful for some optimiza¬ 
tions on subtype checking (introduced later in the paper). However, 
the general encoding of subtyping checks works with full extended 
types, thus the sensitivity annotations can be safely omitted and the 
system will infer types containing extended sensitivities. 

Due to technical difficulties in inferring the minimal sensitivity 
in the presence of higher-order functions, the argument type in 
functions (ct in A(x : ct)) must be annotated, and we require the 
type of fixpoints to be annotated. 

6. Constraint Solving 

The type-checking algorithm introduced in the previous section pro¬ 
duces inequality constraints over the extended sensitivity language. 
While these extended sensitivity terms may appear complicated, we 
can translate them into equivalent formulas over the first-order the¬ 
ory of arithmetic over R and N. While we show in the next section 
that the formulas we generate are usually undecidable, they can still 
be handled by standard solvers. Moreover, in Section 8.1 we will 
present a sound (although not complete) computable procedure to 
check the constraints. 

To define our translation, it suffices to convert formulas with 
extended sensitivities into equivalent ones that use only standard 
sensitivities, for we can replace quantification over S by equivalent 
formulas that only quantify over R and N. For instance, a formula 
of the form Vi : S.P, where P has only quantifiers over R or N, 
can be translated into (Vi : R.i > 0 => P) A P', where P' is 
the result of substituting 00 for i in P and performing all possible 
simplifications. 


PREPRINT 


7 


2015/3/17 

















The idea behind our translation is simple: we use a first-order 
formula to uniquely specify each extended sensitivity term. Specif¬ 
ically, we define a predicate T{R) for each extended sensitivity 
term R, such that |[r(i?)(r)|p holds exactly when r is equal to the 
interpretation of R under the valuation p. For instance, consider the 
translation for Ri + R 2 '. 

T(Ri+R2){r) ■.= 3ri r2 : S,T{Ri){ri)AT{R2){r2)Ar = ri+r2 

For p a valuation for Ri, R 2 , we have ri = |[.RiIp and r 2 = |[i? 2 ]p. 
Then the only r that satisfies this predicate is 

r = fi -t- r2 = [[.Rijp “t“ [[F?2 ]]p = |.Hi -f .R 2 JP, 

as desired. 

For a more involved example, consider the translation of 
max(i?i, i? 2 ): 

r(max(i?i, i? 2 ))(f) 

:= 3ri r 2 : S, T(Ri)(ri) A T{R 2 ){r 2 )A 
(ri > r 2 A r = ri V r 2 > ri A r = r 2 ). 

Again, for any valuation p of Ri, R 2 , we have ri = |[i?i]]p and 
f 2 = |[^? 2 ]p. The final conjunction states that r must be the largest 
among ri and r 2 , which is precisely the semantics we have given 
|[max(i?i, i? 2 )]p. The full translation is in Figure 5. 

We formalize our intuitive explanation of the translation with the 
following lemma. 

Lemma 8. For every sensitivity expression R and r G S, and for 
every valuation p whose domain contains the free variables of R, 
lT(i?)(r)lp ^ r = |i?Ip 

Proof. By induction on R. We have already considered the R\ 3- R 2 
and max(i?i, R 2 ) cases above. □ 

Using the translation of terms, we can translate sensitivity con¬ 
straints generated by our typing algorithm. We map each constraint 
of the form 

<j)\ $ 1= i?l > R 2 
to 

V(j), => 3ri r 2 : S, T{Ri){ri) A T{R 2 ){r 2 ) A ri > r 2 

Thanks to Lemma 8, this translation is equivalent to the semantics 
of sensitivity constraints given in Section 2. 

7. Undecidability of Type-checking 

As we have seen in the previous section, constraints over our 
extended sensitivity language can be translated to simple first-order 
formulas. Taken by itself, this is not entirely satisfactory, as the first- 
order theory of N is already undecidable. A nice illustration of this 
is Hilbert’s tenth problem, which asks if a polynomial equation of 
the form P{x) = 0 over several variables has any solutions over the 
natural numbers. After several years of investigation, this property 
was finally shown to be undecidable. 

In this section, we will show that this result makes DFuzz type¬ 
checking undecidable. We begin with an auxiliary lemma. 

Lemma 9. Given polynomials P, Q over n variables with coeffi¬ 
cients in N, checking Vi £ N", P(i) > Q{i) is undecidable. 

Proof. We will use a solution to our problem to solve Hilbert’s tenth 
problem. Suppose we are given a polynomial P with integer coef¬ 
ficients, and we want to decide whether 3i £ N", P{i) = 0. This 
is equivalent to deciding —\/i £ > 1. Write P{i)^ = 

P'*' (i) — P~ (i), where P"** and P“ have only positive coefficients. 
Then our condition is equivalent to -iVi £ N", P"^ (i) > P~ (i) 3-1. 


Thus, we can solve Hilbert’s tenth problem by using P^ and P 3-1 
as inputs to our problem, which shows that it is undecidable. □ 

We can then show the following 
Theorem 10. DFuzz type checking is undecidable. 

Proof. Suppose we are given P and Q as previously. Consider the 
types (7 = Vi, loN^li] —« ^ R and r = Vi, !oN"[i] 

■p(?)R R- Then a C r is equivalent to Vi, P(i) > Q(i). On 
the other hand, using recursion and dependent pattern matching, it 
is possible to write a function that multiplies a real number by a 
polynomial Q{v) with variables ranging over N. Its minimal type 
will clearly be a. Therefore, type-checking it against r is equivalent 
to deciding ct C r; since P and Q are arbitrary, this is undecidable 
by Lemma 9. □ 

8. Approaches to Constraint Solving 

Given that type-checking DFuzz (and hence also EDFuzz) is un¬ 
decidable, is there anything more we can do besides feeding the 
constraints to a solver and hoping for the best? In this section, we 
discuss two possible directions to tackle these constraints. For both 
of these approaches, we require that all annotations in the term 
be standard sensitivities, rather than extended. Then, we have the 
following lemma. (We defer the proof to the Appendix.) 

Lemma 11 (Standard Annotations). Assume annotations in a term 
e range over standard sensitivities and $; T*; e =3> F; a. Then: 

• o has no extended sensitivities; and 

• all constraints required for the algorithm are of the form (j); ^ 

R> R' where R is a standard sensitivity term. 

8.1 Modifying the subtype relation 

The first approach is to restrict EDFuzz to a fragment that enjoys de¬ 
cidable type checking, which we call UDFuzz. The main difference 
between both languages is the interpretation of subtyping constraints: 
in UDFuzz, constraint variables are interpreted uniformly, ranging 
over all possible sensitivity values, regardless of their kind. As noted 
in Section 6, we can translate such formulas into the first-order the¬ 
ory of real arithmetic; since this theory is decidable, so is UDFuzz 
type checking. 

Of course, this only makes sense if we can show that UDFuzz is 
sound with respect to EDFuzz. As it turns out, it suffices to restrict 
UDFuzz annotations to standard sensitivities—as we’ll see, this 
forces the subtyping relation of UDFuzz to be a subrelation of the 
one of EDFuzz. This restriction rules out some programs that are 
typeable under EDFuzz, but is expressive enough to cover interesting 
ones, including most of the original examples [10]. 

Formally, besides the restriction on annotations, UDFuzz is the 
system obtained from EDFuzz by replacing all constraints of the 
form \= R> R' with uniform constraints f-, <1? R > R!, 
which have the following interpretation: 

Vp G vahW.mp => Mp > 

Here, valc7(0) is the set of all uniform valuations, that map variables 
in dom((j!>) to values in S. The denotation of formulas and 
sensitivity and size terms is the same as before, except for two 
cases: 


|[sup(i : 

K,R)f^ 

= SUp{|[.R|pU[i=r]} 











aR«)Ip := 

r i^iip^ 

if 

isj’/ 

= 0 

|[case(S', Ro, 

= { 0. 

if 


G (0,1) 



1 I-R2lpu[i=r-1] 

if 

I^Ip^ 

= r > 1 
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K := N I S 

T{i){r) ■.= i = r 

T{Ri + R2){r) ■■= 3 ri r2 : E,T{Ri){ri) A T{R2){r2) A r = ri + r2 

T{Ri ■ i?2)(r) := 3 ri r2 : E,T{Ri){ri) A T{R2){r2) Ar = ri ■ r2 

r(max( 7 ?i, i?2))(r) := 3 ri r2 : S, T{Ri){ri) A T{R2){r2) A (ri > r2 A r = ri V r2 > ri A r = r2) 

T{csLse{S,Ro,i, Rs)){r) := 3 rs : N, T(S')(rs) A (r^ = 0 A T{Ro){r) V 3 i : N, = i + 1 A T{Rs){r)) 

T(sup(i ; K, R)){r) := bound(i ; k, i?, r) A Vr^bound(^ : k, R, r') ^ r > r 
bound(i : k, R, r) := Vi : K 3 r' : E,.T{R){r') Ar' < r 

Figure 5. Constraint Translation 


We first show that this uniform semantics is an extension of the 
standard semantics. 

Lemma 12. Suppose R is a standard sensitivity term, typed under 
environment (j). Then, for any standard valuation p G we 

have 

Mp = Mp- 

Proof. Immediate from the definition of the interpretation. □ 

We are now ready to prove that the uniform interpretation of 
constraints is sound with respect to the original interpretation. 

Theorem 13. Suppose R, R' are well-typed in environment f, 
with R standard. Suppose that 1=^^ R > R' is valid. Then 
\= R> R' is also valid. 

Proof. It is clear that for any standard valuation p G val(f), we 
have > |[l?lp. Assuming this, the hypothesis of the theorem 

yields > |[l?lp > |1?1 p for every standard valuation 

p G val((^). But i? is a standard sensitivity, so = I^Ip 

by Lemma 12, and we are done. □ 

Thanks to Lemma 11 , all UDFuzz constraints are of this form, 
which shows that the subtype relation of UDFuzz is a subrelation of 
the subtype relation in EDFuzz. By reasoning analgous to Lemma 8, 
we can show that relaxing the first order translation of constraints 
captures this uniform interpretation. More formally: 

Lemma 14. For every sensitivity term R, let (R) be a unary 
predicate defined exactly as in Figure 5, but replacing quantification 
over N with quantificiation over S and with the modified case 
translation: 

T’^ {case{S, Ro,i, Rs))ir) := 

3r, : S, T^{S){rs) A (r. = 0 A T^{Ro){r)) 

V (0 < Ts < 1 A r = 0) 

V (3i : S, i > 0 A Ts = i + 1 A r^(i?s)(r)) 

Then, r G S, and for every uniform valuation p whose domain 
contains the free variables of R, (R){r)Yl^ r = 

By this lemma, we can give a sound, complete and decidable 
type-checking algorithm for UDFuzz. 

Theorem 15. Suppose we use our algorithmic system, with the 
constraints 

4>\ 3« i?i > R2 

handled by translation to the first order formula 

yfi, -1- ^ 3r : S, T^{R 2 ){r) ARi>r, 

where all quantifiers are over S. Since the theory ofS is decidable, 
this gives an effective type-checking procedure for UDFuzz. 


Proof. Note that Ri is a standard sensitivity term, so the translated 
formula is indeed a first order formula over the theory of S. By 
Lemma 14, the translated formula is logically equivalent to |<l>| ^ ^ 
-3 11 ^ 2 ]^ for all uniform valuations p G valc/(</)), which 
in turn implies \= R\ > R 2 by Theorem 13. This shows 
that the algorithmic system is sound and complete with respect to 
UDFuzz. □ 

Remark 16. UDFuzz is a strict subset 0 /EDFuzz,' informally, it 
contains EDFuzz programs with typing derivations that do not use 
facts true over N but not over K. One key way that subtyping is 
used in EDFuzz is for equational manipulations of the indices; for 
instance, subtyping may be needed to change the index expression 
3(i + 1) to 3i -I- 3. This reasoning is available in UDFuzz as 
well; indeed, most of the example programs in DFuzz are typeable 
under UDFuzz as well. (The only exception is k-medians, which 
extends the index language with a division function that we have not 
investigated.) 

However, there are many programs that lie in EDFuzz but not 
in UDFuzz— constraints as simple as Vi. > i are true when 
quantifing over the naturals but not when quantifying over the reals. 
Valid EDFuzz programs that use these facts in their typing derivation 
will not lie in UDFuzz. 

8.2 Constraint Simplification 

The second approach is to simplify the constraints generated by the 
translation of Section 6, so that they can be better handled by solvers. 
Since alternating quantifiers are a source of complexity in formulas, 
we devised a rewriting procedure for producing constraints with no 
alternating quantifiers. Here, we continue to require that all source 
annotations must be standard sensitivity terms. 

To begin, we generalize our three extended constructs with a 
new constrained least upper bound (club) operation, with form 
club{((()i; "Fi; Ri),..., (fin', ^n', Rn)}. Here, 0 is a size and sen¬ 
sitivity variable environment, <F is a constraint environment, and 
i? is a sensitivity term, extended or standard. The judgment for a 
well-formed club is 

(f) F club{(0i; <Fi; i?i), . . . , <1>„; R„)}, 

where each Rj has kind r under fi, (f>j\ Fj, and have dis¬ 

joint domain. Intuitively, club is a maximum over a set of sensi¬ 
tivities, restricting to sensitivities where the associated constraint 
is satisfied. Sensitivities where the constraints are not satisfied are 
ignored. Formally, let contain the free variables of club, and let 
p G val(<^) be any standard valuation. We can give the following 
interpretation of club: 

(|club{(</)i; -Fi; Ri), ..., F„; i(„)}Dp : = 

maxmax{|i?jl|pupj | Pj € \ta\{<pj) and |[(E>jlpupJ. 

je[n] 
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We define the maximum over an empty set to be 0. 

Now, we can encode the extended sensitivity terms using only 
club, through the following translation function: 

C(max(ii:i, R2)) ■.= club{( 0 ; 0 ; C{Ri)), ( 0 ; 0 ; C{R2))} 
C(sup(i, R)) club{(i; 0 ; C'(-R))} 

C{case{S, i, Ro,Rs)) club{( 0 ; 5 = 0 ; C{Ro)), 
ir,S = i + l-,C{Rs))} 

C{Ri + R2) := C{Ri) + C(R2) 

C{Ri ■ R2) ■■= C{Ri) ■ C{R2) 

C{R) := R otherwise. 

While we may now have nested club, we extend the interpretation in 
the natural way. We can show that the translation faithfully preserves 
the semantics of the extended terms, with the following lemma. 

Lemma 17 . Suppose 4 )\- R and p G va\{(f>)isa standard valuation. 
Then, llC{R)\)p = 

Proof. By induction on R. □ 

Now, we can simplify the compiled constraints. First, we can 
push all standard sensitivity terms to the leaves of the expression. 
More formally, we have the following lemma. 

Lemma 18. Suppose f R ■ club{((^i; <E>i; Ci)}^ + R', where 
R, R' are standard sensitivity terms, and Ci is an arbitrary sensitiv¬ 
ity term possibly involving club. Then, for any standard valuation 
p G val( 0 ), 

^i?.club{(<?!.i; C 0 },+i?'^p = ^club{(fli,; R-Ci + i?')} Jp- 

Proof. By the definition of the interpretations, and the mathematical 
fact a ■ maxi{fei} + c = maxi{a • fo; + c} for a,b,c> 0. □ 

Thus, without loss of generality we may reduce the compiled 
sensitivity constraint to an expression of the form Q, with grammar 

Q ::= 0 I Q 1 +Q 2 I Qi-Q 2 I clubK^i; <l>i; Qi)} \ club{(0i; i&i; 

where Ri are standard sensitivity terms. We will use the metavari¬ 
able V to denote an arbitrary (possibly empty) collection of triples 
{fi; (hi; Ri)i, and the metavariable W to denote an arbitrary (pos¬ 
sibly empty) collection of triples {cpi', i&i; Qi)i. Throughout, we 
will implicitly work up to permutation of the arguments to club: 
for instance, club{(X), (K)} will be considered the same as 
club{(y), (X)}. We will also work up to commutativity of ad¬ 
dition and multiplication: Qi Q2 will be considered the same as 
Q2 + Q1, and likewise with multiplication. We present the constraint 
simplification rules as a rewrite relation i->. As typical, we will write 
I—>■* for the reflexive, transitive closure of 1 —The full rules are in 
Figure 6. 

We can prove correctness of our constraint simplification with 
the following lemma. 

Lemma 19. Suppose Q 1 — >■ Q', and suppose tj) \- Q and f h Q'. 
Then, for any standard valuation p G val( 0 ), we have (|QDp = 
^Q'^p. 

Proof. By induction on the derivation of Q 1 — > Q' . The cases Plus, 
Mult and Red are immediate by induction. The other cases all follow 
by the semantics of club; details are in the Appendix. □ 

The simplification relation terminates in the following particular 
simple form. 


Lemma 20. Let Q be a sensitivity term involving club. Along any 
reduction path, Q reduces in finitely many steps to a term of the 
form club{y} = club{((;6i; $ 1 ; i?i), . .., (())„; 7?„)}. 

Proof. First, note that any reduction of Q must terminate in finitely 
many steps: by induction on the derivation of the reduction, it’s clear 
that each reduction removes one club subterm, and no reductions 
introduce club subterms. So, suppose that Q is a term with no 
possible reductions. 

By induction on the structure of Q, we claim that Q is of the 
desired form. Say if Q = Qi -f Q 2 , if either Q\, Q 2 can reduce, 
then Plus applies. If not, then by induction, CPlus applies. The same 
reasoning follows for Q = Q\ ■ Q 2 '. either Mult applies, or CMult 
does. Finally, if Q is a single club term, if Red and Flat both don’t 
apply, then Q is of the desired form. □ 

Finally, checking a constraint => 7? > club{V^} is 

simple. 

Lemma 21. Let Rbe a standard sensitivity term, and let V be 

V = (0i; $1; i?i),..., (fn; Rn) 

where each Rj is a standard sensitivity term without club. Then, 
(lr,^\=R> club{y} is logically equivalent to 

/\ yfj. $ A (E>, ^ E > Rk. 

ie[n] 

Proof. Immediate by the semantics of club{l/}. □ 

Putting together all the pieces, given a constraint $ |= 7? > 
7?', with R standard, we can transform C{R') to a term of the form 
Q by pushing all standard sensitivity terms to the leaves. Then, we 
normalize Q 1 —>■* club{I/} by Lemma 20 arbitrarily. By Lemma 19, 
the interpretation of Q and club{I/} are the same, so we can reduce 
the constraint $ |= 7? > club{IA} to a first order formula over 
mixed naturals and S, with no alternating quantifiers, by Lemma 21. 


function cdf 

forall (i:size) (b:list{num)[i]) (db;[i]num bag) 

: list(num)[i] { 
listcase b of list(num)[i] { 

[] =► nil @ [num] 

I X :: xs [m] =► 

let (It, gt) = bagsplit(a[num] 

(fun (n:num) : bool {n < x}) db; 
let count = (bagsize It); 
let bigger = cdf[e][m] xs gt; 
cons (a [num][m] count bigger } } 

This is a modified version of an original DFuzz example. It uses a 
few extensions to the system we have described, including additional 
primitive types (bag) and lists with a basic form of polymorphism. 


9. Implementation and Usability 

We have implemented our algorithm for EDFuzz, including the 
I constraint simplification described in the previous section, in a 
prototype type-checker. The tool is written in OCaml, and uses 
the Why3 framework to check the generated numeric inequalities 
with SMT solvers. We have successfully type-checked a range of 
examples, including all but one of the examples from the original 
DFuzz paper. The remaining example involves a “safe division” 
operation on the sensitivity language; we believe this operation can 
also be handled with our techniques. The solvers had no problem 
solving the mixed natural/real constraints on our examples, even 
though the problem is undecidable. 

In our experience, the type-checker was quite usable. To give an 
idea of the annotation burden in a typical example, consider the raw, 
annotated program below. 
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club{(<^; <&; club{(</.i; Ri)}^), F} club{(^6 U $ A $i; R,), 1/} 


Flat 


clubK^i; <&i; Ri)}^ + club{(</)'; ; _R')}^. i-A club{(<?!>i U A <E>'; Ri + R'j)}^J 


club{((^i;$i; JJi)}. • club{(0'; i-A club{(( 7 ii U A • R'j)}^■ 


CPlus 

CMult 


Qi i-A Qi 

Qi + Q 2 1—>■ Qi + Q 2 


Plus 


Qi Qi 

Qi • Q 2 1 —Qi • Q 2 


Mult 


Q ^ Q 

club{(,^; $; Q), W} ^ club{((/>; $; Q'), W} 


Red 


Figure 6. club Reduction 


Our experience with error reporting was generally good. The 
tool points out the location of the failed check, which was usually 
not far from the actual error. The error messages leave a bit to be 
desired—usually, a polynomial inequality that can’t be proved—we 
leave improving this aspect to future work. 

The implementation and examples are available online."* 

10. Related work 

There is a vast literature on type checking for various combinations 
of indexed types, linear types, dependent types and subtyping. 
A distinctive feature of our approach is that our index language 
represents natural and real number expressions. As we have shown 
in the previous sections, this makes type checking non-trivial. 

The work most closely related to ours is Dal Lago et al. [6], who 
studied the type-inference problem for df^PCF, a relatively-complete 
type system for complexity analysis introduced in Dal Lago and 
Gaboardi [4]. dfPCF uses ideas similar to DFuzz but brings the idea 
of linear dependent types to the limit. Indeed, df PCF index language 
contains function symbols that are given meaning by an equational 
program. The equational program then plays the role of an oracle 
for the type system—d£PCF is in fact a family of type systems 
parametrized over the equational program. The main contribution 
of Dal Lago et al. [6] is an algorithm that, given a PCF program, 
generates a type and the set of constraints that must be satisfied in 
order to assign the return type to the input term. 

In our terminology, their work is similar to the top-down ap¬ 
proach we detailed in Section 3. As we discussed there, the compli¬ 
cation of this approach is that it requires solving constraints over 
expressions—with possible function symbols—of the index-level 
language. As shown by Dal Lago and Petit, a clear advantage of 
the d^PCF formulation is that instead of introducing an existential 
variable over expressions, one can introduce a new function symbol 
that will then be given meaning by the equational program gener¬ 
ated by the constraints—i.e., the constraints give a description of 
the semantics of the program, which can be turned in an equational 
program, that in turn gives meaning to the function symbols of the 
index language appearing in the type. Clearly, this approach cannot 
be reduced to numeric resolution and need instead a combination 
of numeric and symbolic solving technology. The authors show 
that these constraints can be anyway handled by using the Why3 
framework. Some constraints are discharged automatically by some 
of the solvers available in Why3 while others requires an interactive 
resolution using Coq. 

As explained in Section 3, the situation with DFuzz is different. 
Indeed, DFuzz can be seen as a simplified version of d^PCF— 
simplifying in particular the typing for the fixpoint and without 
variable bindings in !-types—extended however to deal with indices 


'^https://github. com/ejgallego/df uzz 


representing real numbers and using quantifications over index 
variables. A key distinction of DFuzz is that the set of constructors 
for the language of sensitivity is fixed —one cannot add arbitrary 
functions. Moreover, the extension to real numbers gives a different 
behavior from how natural numbers are used in dI!PCF—e.g., our 
example for the lack of minimal type would make no sense in 
dfPCF. These distinctions make the type checking problem very 
different. 

For another approach that is closely related to our work, re¬ 
call that DFuzz is an extension of Fuzz- The sensitivity-inference 
and sensitivity-checking problems for Fuzz have been studied 
in D’Antoni et al. [7]. These problems are simpler than the one 
studied here since in Fuzz there is no dependency, no quantifica¬ 
tion and no subtyping. Indeed, the constraints generated are much 
simpler and can be solved quickly by an SMT solver. 

Similarly, Eigner and Maffei [9] have studied an extension of 
Fuzz for modeling protocols. In their work they also give an algo¬ 
rithmic version of their type system. Their type system presents 
challenges similar to Fuzz, which they handle with algebraic manip¬ 
ulations. More precisely, their algorithmic version uses a technique 
similar to the one developed in Cervesato et al. [2] for the splitting 
of resources: when a rule with multiple premises is encountered the 
algorithmic system, first allocate all the resources to the first branch 
and then allocate the remaining resources to the second branch. Un¬ 
fortunately, this approach cannot be easily applied to DFuzz due to 
the presence of index variables and dependent pattern matching. 

From a different direction, recent works [1, 13] have shown how 
linear indexed type systems can be made more abstract and useful 
to analyze abstract resources. In particular, this kind of analyses is 
connected to comonadic notions of computations [20]. The type- 
inference algorithm described in Ghica and Smith [13] is parametric 
on an abstract notion of resource. This resource can be instantiated 
on a language for sensitivities similar to the one in Fuzz- So, this 
abstract type-inference procedure could be also used for sensitivity 
analysis. 

DFuzz is one of several languages combining linear and depen¬ 
dent types. For example, ATS [3] is designed around a dependent 
type system enriched with a notion of resources that is a type-level 
representation of memory locations; these resources are managed 
using a linear discipline. ATS uses these features to verify the cor¬ 
rectness of memory and pointer management. 

Even if the use of linear types in ATS is very different from 
the one presented here, our type checking algorithm shares some 
similarities with ATS’s one. The main difference is that ATS uses 
interactive theorem proving to discharge proof obligations while, 
thanks to the restricted scope of our analysis, our constraints can be 
handled by numeric solvers. In contrast, DML [26] —a predecessor 
of ATS which did not use linear types—uses an approach similar 
to ours by solving proof obligations using automatic numeric 
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resolution. This required limitations on the operations available 
in the index language, similar to DFuzz- 

Another work considering lightweight dependent types is the one 
by Zhu and Jagannathan [27]. In particular they propose a technique 
based on dependent types to reduce the verification of higher order 
programs to the verification of a first order language. While the goal 
of their work is similar in spirit to ours, their technique has only 
superficial similarities with the one presented here. 

Finally, our work has been informed by the wide literature on 
type-checking, far too large to summarize here. For instance, the 
problem of dealing with subtyping rules by using syntax-directed 
systems has been studied by Pierce and Steffen [21], and others. 

11. Conclusions and Future Work 

We have presented a type-checking and sensitivity-inference al¬ 
gorithm for EDFuzz —a simple extension of DFuzz —featuring a 
linear indexed dependently type system. While we have shown that 
DFuzz type checking is undecidable in the general case, our ap¬ 
proach generates constraints over the first-order theory over the 
reals and naturals, for which there are standard (though necessarily 
incomplete) solvers. 

Overall, our design was guided by two principles: to stay as 
close to DFuzz as possible, and to provide a practical type checking 
procedure. While we do require extensions to DFuzz, there is a clear 
motivation for the introduction of each new construct. The idea 
of making a limited enrichment of the index language in order to 
simplify type-checking may be applicable to other linear indexed 
type systems. Furthermore, designers of such systems would do well 
to keep implementability in mind: seemingly unimportant decisions 
that simplify the metatheory may have a serious impact on type¬ 
checking. 

References 

[1] A. Brunei, M. Gaboardi, D. Mazza, and S. Zdancewic. A core quan¬ 
titative coeffect calculus. In European Symposium on Programming 
(ESOP), Grenoble, France. Springer, 2014. 

[2] I. Cervesato, J. S. Hodas, and F. Pfenning. Efficient resource manage¬ 
ment for linear logic proof search. Theoretical Computer Science, 232 
(1—2):133-163,2000. 

[3] C. Chen and H. Xi. Combining programming with theorem proving. In 
ACM SIGPLAN International Conference on Functional Programming 
(ICFP), Tallinn, Estonia, pages 66-77, 2005. ISBN 1-59593-064-7. 

[4] U. Dal Lago and M. Gaboardi. Linear dependent types and relative 
completeness. In IEEE Symposium on Logic in Computer Science 
(Lies), Toronto, Ontario, pages 133-142. IEEE, 2011. 

[5] U. Dal Lago and U. Schbpp. Functional programming in sublinear 
space. In ACM Transactions on Programming Languages and Systems, 
pages 205-225. Springer, 2010. 

[6] U. Dal Lago, B. Petit, et al. The geometry of types. In ACM SIGPLAN- 
SIGACT Symposium on Principles of Programming Languages (POPL), 
Rome, Italy, pages 167-178, 2013. 

[7] L. D’Antoni, M. Gaboardi, E. J. Gallego Arias, A. Haeberlen, and B. C. 
Pierce. Sensitivity analysis using type-based constraints. In Workshop 
on Functional Programming Concepts in Domain-specific Languages 
(FPCDSL), FPCDSL ’13, pages 43-50, New York, NY, USA, 2013. 
ACM. ISBN 978-1-4503-2380-2. 

[8] D. Dreyer, K. Crary, and R. Haiper. A type system for higher-order 
modules. In ACM SIGPLAN—SIGACT Symposium on Principles of 
Programming Languages (POPL), New Orleans, Louisiana, POPL ’03, 
pages 236-249, New York, NY, USA, 2003. ACM. ISBN 1-58113-628- 
5. 

[9] F. Eigner and M. Maffei. Differential privacy by typing in security 
protocols. In IEEE Computer Security Foundations Symposium, New 
Orleans, Louisiana, pages 272-286, 2013. 


[10] M. Gaboardi, A. Haeberlen, J. Hsu, A. Narayan, and B. C. Pierce. 
Linear dependent types for differential privacy. In ACM SIGPLAN- 
SIGACT Symposium on Principles of Programming Languages (POPL), 
Rome, Italy, POPL ’13, pages 357-370, New York, NY, USA, 2013. 
ACM. ISBN 978-1-4503-1832-7. 

[11] G. Ghelli and B. Pierce. Bounded existentials and minimal typing. 
Theoretical Computer Science, 193(l-2):75 — 96, 1998. 

[12] D. R. Ghica and A. Smith. Geometry of synthesis III: Resource 
management through type inference. In ACM SIGPLAN-SIGACT 
Symposium on Principles of Programming Languages (POPL), Austin, 
Texas, volume 46, pages 345-356. ACM, 2011. 

[13] D. R. Ghica and A. Smith. Bounded linear types in a resource semiring. 
In European Symposium on Programming (ESOP), Grenoble, France. 
Springer, 2014. 

[14] J.-Y. Girard, A. Scedrov, and P. J. Scott. Bounded linear logic: a 
modular approach to polynomial-time computability. Theoretical 
Computer Science, 97(1): 1-66, 1992. 

[15] B. Heeren, B. Heeren, J. Hage, J. Hage, D. Swierstra, and D. Swierstra. 
Generalizing Hindley-Milner type inference algorithms. Technical 
report, 2002. 

[16] U. D. Lago and B. Petit. Linear dependent types in a call-by-value 
scenario. In D. D. Schreye, G. Janssens, and A. King, editors, ACM 
SIGPLAN International Conference on Principles and Practice of 
Declarative Programming (PPDP), Leuven, Belgium, pages 115-126. 
ACM, 2012. ISBN 978-1-4503-1522-7. 

[17] U. D. Lago and U. Schbpp. Type inference for sublinear space 
functional programming. In K. Ueda, editor, Asian Symposium on 
Programming Languages and Systems (APLAS), Shanghai, China, 
volume 6461 of Lecture Notes in Computer Science, pages 376-391. 
Springer, 2010. ISBN 978-3-642-17163-5. 

[18] M. Lillibridge. Translucent Sums: A Foundation for Higher-Order 
Module Systems. PhD thesis. PhD thesis, Carnegie Mellon University, 
Pittsburgh, PA, December 1996. 

[19] M. Odersky, M. Sulzmann, and M. Wehr. Type inference with 
constrained types. 7AP05, 5(l):35-55, 1999. 

[20] T. Petricek, D. Orchard, and A. Mycroft. Coeffects: Unified static 
analysis of context-dependence. In International Colloquium on 
Automata, Languages and Programming (ICALP), Riga, Latvia, pages 
385-397. Springer, 2013. 

[21] B. C. Pierce and M. Steffen. Higher-order subtyping. In IFIP 
Working Conference on Programming Concepts, Methods and Calculi 
(PROCOMET), pages 511-530, 1994. Full version in Theoretical 
Computer Science, vol. 176, no. 1-2, pp. 235-282, 1997 (corrigendum 
in TCS vol. 184 (1997), p. 247). 

[22] F. Pottier and D. Remy. The essence of ML type inference. In B. C. 
Pierce, editor. Advanced Topics in Types and Programming Languages, 
chapter 10, pages 389-489. MIT Press, 2005. 

[23] J. Reed and B. C. Pierce. Distance makes the types grow stronger: 
A calculus for differential privacy. In ACM SIGPLAN International 
Conference on Functional Programming (ICFP), Baltimore, Maryland, 
ICFP ’10, pages 157-168, New York, NY, USA, 2010. ISBN 978-1- 
60558-794-3. 

[24] P. Wadler. Is there a use for linear logic? In Symposium on Partial 
Evaluation and Semantics-Based Program Manipulation (PEPM), New 
Haven, Connecticut, volume 26, pages 255-273. ACM, 1991. 

[25] D. A. Wright and C. A. Baker-Finch. Usage analysis with natural 
reduction types. In P. Cousot, M. Falaschi, G. File, and A. Rauzy, 
editors. Workshop on Static Analysis (WSA), Padova, Italy, volume 
724 of Lecture Notes in Computer Science, pages 254-266. Springer, 
1993. ISBN 3-540-57264-3. 

[26] H. Xi and F. Pfenning. Dependent types in practical programming. In 
ACM SIGPLAN-SIGACT Symposium on Principles of Programming 
Languages (POPL), San Antonio, Texas, pages 214-227. ACM, 1999. 

[27] H. Zhu and S. Jagannathan. Compositional and lightweight dependent 
type inference for ML. In International Conference on Verification, 
Model Checking, and Abstract Interpretation (VMCAI), Rome, Italy, 
pages 295-314. Springer, 2013. 


PREPRINT 


12 


2015/3/17 


; <3? I A h e : (T 


; $ 1= r C A 


0; $ I r h e : (T 
n = I^I 


(C .L) 


6; -!> I r h e : o- 


; <3? 1= (j C T 


(C .R) 


(ConstN) 


;3>|ri-e:T <^;$|ri-r: 

0; I Fi h ei : (J | r2 h 62 : r 


$ I r h n : | F, x :[i] a h 2; : a 

6;'l'|AI-e:cr(g)r <E> | F, x :[fl] cr, 1/r h e':R 7^ □ 


(Var) 


(?i; $ I F + R ■ A h let(x, y) = e in e : 

(f};^ \T\- e : ai & a 2 

0; $ I F h TTi e : (T; 

0 ; $ I F h ei : Irg ^ t </); $ | A h 62 : o' 
(/); $ I F + i? • A h ei e 2 : r 

;3>|FI-e:Vi:K. a 


(OS) 


6; $ I Fi + F2 h (ei, 62) ■. cj®t 
1^; $ I F h ei : O' <l> I F h 62 : T 


(/); $ I F h (ei, 62) : O' & r 
A; $ I F, X O' h e : r 7? / □ 


(ConstR) 
(®7) 

(& 


H I) 


H 


6; $ I F I- A(x :[_R] o').e : l^o ^ r 

(f>,i : K.\^ \V \- e (J i fresh in $, F 


0; <E- I F h e[S] : a[S/i] 


(V7?) 


; $ I F h Ai : K. e : Vi : K. CT 

A; $ I F, X :[oo] cr h e : cr ^ </>; $ | F h e : NfS'] 


(V7) 


; <0 I 00 • F h fix X : a. e : a 


(Fix) 


0; $ I F h e + 1 : NfS'+ 1] 


<(.; -1- I A h e : N[5] S = 0 | F h eo : o 

)), i : n; <&, S = i + 1 I F, n :[fl] N[i] h 63 : o' i#7? 7? / □ 

6 ; il? I F + 7? • A h case e return o' of 0 => eo | njii + 1 ^ 63 : o' 


(N £) 


(S 7) 


Figure 7. DFuzz □ Type Judgment 


A. Differences Compared to Gaboardi et al. [10] 

While we hew closely to the presentation of DFuzz in Gaboardi et al. [10], we make a few technical changes. 

• The environment weakening operation F C F' in DFuzz allows the types to change. That is, a binding x :[ij] o' € F can be weakened to 
X -.[Rij a' for O' C ct' two syntactically different types. We take a more restricted weakening rule, where the types must be syntactically the 
same; we are unaware of any programs that need the more general mle. 

• We take the interpretation of oo • 0 to be oo, rather than 0. 

• We assume some additional type annotations in the source language, as discussed in Section 5 

B. The DFuzz □ system 

The first system has the goal to enjoy environment “uniformity”, in the sense that sensitivity information in the environments may be missing. 
We denote such an assignment x :□ o'. This is a subtle technical point for crucial to enable syntax-directed typability. 

We modify subtyping for environments such that F C A requires F, A to have the same domain. The new rule is: 

V(xj o'i,Xi -[r?;] o'i) ^ (F, A) 
dom(A) = dom(F) ((>; <1? |= 77; > 7?) V 7?) = □ 

- ^;cl>NrGA - 

This subsumes regular variable weakening. Environment operations must be aware of □, with □ -|- i = i, i ■ □ = □ for the annotations. 
Definition 22 (Box erasure). For any environment F, we define the n-erasure operation |F| = {x :[;{] o' | x :[ij] o' G F A 77 7 ^ □}. 

We introduce the □ system in Figure 7. 

We prove that derivations in a system with □ are in direct correspondence with derivation in a system without it. 

Lemma 23. Assume <(); $ | F h e : ct in the □ system, then <)»; T* | |F| h e : o' in the system without it. 

Proof. By induction on the typing derivation. The base cases and cases where the environment is not modified are immediate. Subtyping on 
the left is proven by weakening. 

The rest of cases are split in two: 

• All cases featuring variables in the top rule, also have the condition 77 7 ^ □, this is enough. 

• For the cases involving environment operations, the proofs is completed by following properties: 

|77-F| =77-|F| |F-kA| = |F|-k|A| 

□ 


Lemma 24. Assume <(); $ | F h e : ct in the system without □, then <(); il? | F h e : (t in the system with it. 
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Proof. The proof is mostly routine by induction on the derivation, but relies in the following fact of the □ system: 0; $ | T h e : ct implies 
4>\^ \ T,x '.a T \- e ■. a. Then, using this lemma we can adjust the environments so that subtyping goes through in the system with □. □ 

A □-elimination operation i?nt> which sends environment annotations to sensitivities will prove useful in the the syntax directed system. It 
is defined as = 0, Ra-\ = R otherwise. Remember that □ doesn’t belong to the sensitivity language, so any annotation that is used in 
places where a sensitivity is expected must be wrapped with — 

Definition 25 (Extension to environments operations). Operations on extended sensitivites that were extended to environments in a pointwise 
fashion, now must take into account the presence o/D. 

• max(i?i, i? 2 ) operates now as max(n, □) = □, max(n, i?) = R, max(i?, □) = R, the original term otherwise. 

• sup(i, R) is extended in the natural way sup(i, □) = □, the original term otherwise. 

• case{S, i, Ro, Ra) operates now case(S, i, □, □) = □, case(S', i, Ro, Ra) = case{S, i, Rontj Rsny) otherwise. 


C. Subtyping Proofs 

From now on we can consider only environments of similar length. We prove a few necessary facts about subtyping. 

Lemma 26 (Environment manipulation). Environment subtyping is preserved by addition and scalar multiplication. More formally: 

• Iftj)', <l?^rcr^AAC then (/);il?^r-l-ACr^ + A'; and 

^ r C r' A i? > R', then ^ \= R ■ V H R’ . T'. 

Proof. These follow from the interpretation of subtyping assertions. Note that the subtyping relation preserves the skeleton of the environments, 
thus making sure that the operations are always defined. □ 

Lemma 27 (Properties of extended sensitivities). Extended sensitivities satisfy the following properties: 

• <(>; 'D 1= i? > max(i?i, R 2 ) if and only iff; $ |= i? > i?i A i? > R 2 : 

• 0; $ 1= i? > sup(i, R') with if and only if <f>, z; <E> |= i? > R'; and 

• (p',^ \= R> case(5', i, Re, Ra) with if and only if 

S = 0 \= R > Re and f, i; $, S = i + 1 \= R > Ra. 

Ai an immediate corollary, setting R to be max(i?i, i? 2 ), sup(z, R'), case(5', i, Ro, Ra) yields 

• ^ max(i?i, R 2 ) > Ri A R> R 2 ; 

• <?), i; $ 1= sup(z, R') > R': and 

• <?!>; >!>, S = 0 ^ case(S', i, Rq, Ra) > Re cind 4),i;^, S = i + 1 \— case{S, i. Re, Rs) > Ra. 


Proof. These follow from the interpretation of extended sensitivities. 

Lemma 28. Suppose (f>,i •. \— a O t and Then for any 4)\= S '. k., we have 

0;$ 1= cr[5'/i] C T[S/i]. 


Proof. By induction on the subtype derivation. For the base cases, we know 


and we need to prove 

but this is clear from the interpretation of R, R'. 


V?). (<E> ^ R[S/i] > 


□ 


□ 


D. The Syntax-Directed system 

The syntax-directed system is presented in Figure 8 . It works over a uniform environment, using □ annotations to “mark”, variables not 
occurring in the original DEuzz derivation. 

We first prove the system sound with respect the non syntax-directed one. 

Lemma 29 (Syntax-directed soundness). J/'c/i; | T I -5 e : cr has a derivation, then (j>-,^\T\-e:a. 


Proof. By induction on the derivation proving T* | T I -5 e : cr. 
Case: (Var) 


Immediate, the same rule applies. 
Case: {®I) 


0; $ I Ectx(r*), a; :[i] cr I -5 a; : a 
6 ; $ I Ti hs ei : cr | Fa F 5 62 : r 


(Var) 


6 ; (I? I Fi -I- Fa Fs ( 61 , 62 ) ’. a ® t 


(»/) 


Immediate by induction; the same rule applies. 
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0 ; $ I El + r2 1-5 (ei, 62) : o- <8) T 


(® 7 ) 


0; $ I A Eg e : g- (g) r (j)-^\T,x -.yn^] cr, y t^s e : jj, 
(?i; $ I E + max(i?in^, i? 2 nt) ' ^ ^5 let(a:, y) = e in e fi 


(/>; I El hs ei : (J </i; $ | E2 Es 62 : r 
(/>■$ I max(Ei,E2) Es (61,62) ■ cr & t 


(& I) 


0; 'E I E E 5 6 : (Ti & (T 2 

(?i; 3> I E Es TTie : ai 


(& E) 


(?i; $ I E, a; :[u.] cr Es e : r (p', ^ \= R > R'at 
<)>; $ I E Es A(a; :[_r] a), e : !h(t -o t 


( 




()>; $ I E Es 61 : !h(j ^ r 
0 ; $ I A Es 62 : cr^ </>; $ |= (T^ C a 
()); $ I E + 7 ? ■ A Es 61 62 : T 


()), i : k; $ I E Es 6 ; CT i fresh in $ 
(f)\ <& I sup(i, E) Es Ai : K. 6 : Vi ; K. (T 


(V7) 


()); $ I E Es 6 : Vi : K. cr 0 |= S : K 
$ I E Es 6[5'] : <7[S/i] 


(VTS) 


()>; $ I E, a: :[fl] cr Es 6 : cr' ()); <E |= cr' C cr 

<)); I 00 • E Es fix X : a. e : a 


(Fix) 


0; $ I A Es 6 : N[S] <)>; <E>, S'= 0 I Eo Es 60 : cro 
()), i : n; <E>, S = i + 1 I Es, n :[«] N[i] Es 6 s : cts 
$, S = 0 ^ (To C cr ()), i : n; $, S = i + 1 1= (Js C (T 
4>', $ I case(S, i, Eo, Es) + case(S, i, 0, 7?n^) • A Es case 6 return cr of 0 ^ 60 | n[i] + 1 6s : cr 


(N E) 


Ectx(E*) := A with 


r dom(E*) = dom(A) 

I A( 6 ) = _ _ for all & € dom(E*) 


Figure 8 . DFuzz Type Judgment, Syntax-directed Version 


Case: ((8)7?) 

()>; $ I A Es 6 : cr (g) r ()>; $ | E, a: a, y rhs e : y 

()); $ I E + max(7?i^^, R2nt) ' ^ let(x, y) = e in e y 

By induction, we have 

()); <F I A E 6 : CT (g) T and ()>; $ | E, a) cr, y a \- e : y 

By Lemma 27, (j); $ |= max(77iQ^, 7 ? 2 nt) > Rint for i = 1, 2. Abbreviating R‘ max(7?iQ^, T^ant) applying weakening we 
have: 

0; I r, X :[_R.] a, y :[u.] r E e' : p 
with 7?* 7 ^ □ so we have exactly what we need to apply ((g)77). 

Case: (& 7) 

()); d? I El Es 61 : cr ()>; $ | E2 Es 62 : r 
());<& I max(Ei,E2) Es (61,62) : cr & T ^ 

By induction, we have 

()i; $ I El E 61 : cr and ()>; < 1 ? | E 2 E 62 : t. 

By Lemma 27, we have 

()); $ 1 = max(Ei, E2) C El and ()); (F |= max(Ei, E2) C E2. 

By weakening, we can derive 

()i; $ I max(Ei, E2) E 61 : cr and ()); <l> | max(ri, E2) E 62 : r. 


when we can conclude by (& 7). 

Case: (& 77) 

()>; <F I E Es 6 : cri & g2 , , 

()); I E Es 7 ri 6 : <Ji 

Immediate; the same rule applies. 

Case: (^ 7) 

(t);^\r,x o- Kg e : r (j);^\= R> R* 
0; $ I r 1-5 A(a; :[R] a), e : Irct ^ r 
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By induction, we have 

and we know _R 7 ^ □ and: 

By weakening, we have 

and we can conclude hy (—0 I). 

Case: (-<= E) 

By induction, we have 
and we also know 

By suhtyping on the right, we can derive 

and we can conclude with E). 

Case: (V/) 

By induction, we have 

and i fresh in d?. By Lemma 27, we have 

and so by weakening, we have 

Now, we can conclude with (V/). 

Case: {^E) 


I r,® :[«.] (The:® 
1 = i? > R\ 

0; $ I r, ® : Iflcr h e : r, 
A; $ I r hs ei : \r(j t 


-(>;<& 1 

A I -5 

€2 : (y' 

cj}\^ \~ g' ^ G 

4 


+ i? ■ A 1-5 ei 62 : r 


r 1 - ei 

: !h(t — 

0 T and (^; (& 1 A 1 




> ^ ct' C (T. 



(^;$ 

A h 62 : (T, 



Fhs e 

: (T i fresh in <F 


1 sup( 

lF) h5 

Ai : K. e ’.yi K. G 



4>\i '■ K 

$ 1 F h 6 : (T 




sup(i, F) C F, 


(j>,i 

;:«;<&] 

sup(i, F) h 6 : CT. 


1 rh5 

e : Vi : 

K. G (f> \= S K 


H E) 


(V7) 


Immediate; the same rule applies. 
Case: (Fix) 


0;$ I rh5 els'] : a[S/i\ 

6; -L I r, ® ct hs e : a' ^ cr' C a 


(VS) 


By induction; we have 

4 

But we also have (j)\ <0 |= cr' C a. By subtyping, we get 


; d? I 00 • r I -5 fix X ■. u. e ■. a 
()); <!> I r, ® : !_r(t h e : ct'. 

I r,® : \rg h e : (T 


(Fix) 


and we can conclude with (Fix). 
Case: (N E) 


<(.; <E> I A h 5 e : N[S] 0; S = 0 | Fo eo : < 7 o 
()>, i : n; S = i + 1 j F*, n :[«] N[i] hs Cs ■ Gs 
6 ; <f>, S = 0 1 = (To S CT <(), i : n; $, S = i + 1 1 = (Ts C (T 


(j>\ <1? I case(S, i, Fo, Fs) + case(S, i, 0, Rat) ' ^ case e return (j of 0 ^ eo j ripj + 1 ^ es 
By induction, we have 

()>; $ I A h e : N[S] 

()>; $, S = 0 I Fo h eo : (To 

()),i : n;'F,S = i + 1 I Fs,?! : IflNli] h es : Gs. 


By Lemma 27, we have 


(();<F,S = 0 1= case(S,i,Fo,Fs) C Fo 

((), i : n; (L, S = i + 1 1= case(S, i, Fq, Fs) C Fs 

((), i : n; < 1 >, S = i + 1 ^ case(S, i, 0, Rnt) > Rnt 


(N E) 
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with 7 ^ □, and we also know 


ti);<E>,S' = 0|=(JoC(7 

i : n; $, S' = i + 1 ^ (Ts C a. 


By subtyping on the left and right, we have 

$ I A h e : N[S] 

<E>, S = 0 I case(S, i, To, Fs) l-eo:cr 
i : n; <&, S = i + 1 I case(S, i, Fq, Fs), n ; h : cr, 


where R' 


case(S, i, 0, Rni;)- We can then conclude by (N E). 

I A h e : N[S] $, S = 0 | F h eo : cr 
0, i : n; S = i + 1 I F, n :[i}] N[i] h Cs : cr *#-R Rj^O 
d? I F + i? • A h case e return ct of 0 ^ eo | + 1 => : cr 


(N E) 


□ 


We now prove completeness, that is to say, for every derivation in the original system, the syntax-directed one will have a derivation, 
possibly even a better from a subtype point of view. 

We first need a few auxiliary lemmas: 

Lemma 30. Suppose that <j);^\T\-se:ais derivable. Then, for any logically equivalent such that (/> |= <1> there is a derivation of 

0; I F I -5 e : a with the same height. 

Proof. By induction on the derivation. The only place the constraint environment is used is when checking constraints of the form 

R> R!. 

But since T* and d? are logically equivalent, we evidently have 

cj>-,^\=R>R' 

as well. □ 


Lemma 31 (Inner Weakening for the Syntax-directed system). Assume a derivation F, a: :[ij] a I -5 e : r, a type a' such that a' C a. Then, 
there exists a type t' and a derivation F, x :[fl] a' I -5 e : t' such that t' C r. 

Proof. By induction over the typing derivation. The base cases are immediate. In the induction hypothesis we get to pick the appropriate type 
and we get a better type in all the cases. □ 

Lemma 32 (Syntax-directed completeness). Iffr, $ | F h e : (t has a derivation, then there exists F', a' such that 0; $ | F' I -5 e : cr' has a 
derivation, tA; d? |= F C F', f-, <I> |= cr' C ct. 


Proof. By induction on the derivation proving <(); <E> | F h e : cr. 

Case: (C .L) 

<?);<I>|AI-e:a <^;<I-^FCA 

(^; d? I F h e : (J 

Immediate, by induction; the desired environment is A. 

Case: (C .R) 

<i;(l?|FI-e:cr (h\^ \= a E t 


6 ; -F I F h e : r 


(C .L) 


(C .R) 


Immediate, by induction; the desired subtype is a. 
Case: (Var) 


(Var) 


Immediate; the same rule applies. 
Case: {®I) 


4>\^ \V,x :[i] <j \- X ■. a 

6; <0 I Fi h ei : (T <)>; d? | F2 F 62 : r 


(»/) 


(/); $ I Fi -I- F2 F (ei, 62) : cr ® T 

By induction, we have F'l, F2, t' such that 

(fx, <E> 1 = Fi C F'l A F2 C F2 and <(>; <E> |= a' C cr A t' C r 

and derivations 

(j)\ <0 I F'l F 5 ei : o' and <)>; d? | F 2 F 5 62 : r'. 

Then we can conclude by {®I), since Lemma 26 shows 

(f)\^ ^Fi-|-F 2 CF'i-|-F 2 and (f)\^ \= a' ® t' E a ® t. 
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Case: {'^E) 


(/>;<&|Ahe:o-(g)r (p-,^ \ r,x -.[r] a,y-.[n] t ^ e ■. R^n 

0; ^ I r + i? • A h let(a:, y) = e in e' : 

By induction and inversion on the subtype relation, we have A', F', ct', a" , t' , t" , y ,Ri, R 2 such that 

^ A C A' 

^ r, a: :[_r] a.y.yn] tO F', x :[Hi] a", y r" 

^ (T^ C a A C r 


i(E)E) 


this implies cr' C cr", r' C r", 7? > and R> R2ot- We have derivations: 

c;*; $ I A' hs e : cr' (g) t' and rj)- <E> | F', a; cr", y t" F 5 e' : y 
By Lemma 31 , we have a derivation: 

<l>\^ I r',* :[_R^] fj' ,y :[h2] t' I -5 e : y" 
with y” C y . Hence, we can produce a syntax-directed derivation now: 

(?i; $ I F' -f ^5 let(a;, y) = eine ■. y”. 

By Lemma 27, we have that <;A; d? |= R > max(RiQ^, Rant) Lemma 26, 

(/!>; $ 1= F -I- R • A C F' -I- max(Ri^^, Rant) • A', 

so we are done: the environment F' -|- max(R'i^^, R 2 □t) • A' and subtype r" suffice. 

Case: (& I) 

0; d? I F h ei : cr 0; 3> | F h ea : t 


6 ; $ I F h (ei, ea) : cr & r 


(& I) 


By induction, there exists 


such that 


By (& 7), we have 


^ F C F'l and 0 ; $ |= F C Fj 
$ 1 = C cr and \= t' 

b; <& I F'l hs ei : a' and </!>; d? | F 2 I-5 ea : r'. 

(j)-, $ I max(Fi, F 2 ) 1-5 (ei, ea) : cr' & r'. 


We are done, since by Lemmas 26 and 27, 

<)»; $ 1= cr' & r' C a & r and ()>; <F ^ F C max(F'i, Fj) C F'. 

So, the desired environment is max(F'i, F 3 ), and the desired subtype is cr' & r'. 

Case: (& E) 


6 ; d? I F h e : (Ji & (72 
<E> I F h TTi e : cTi 


(& E) 


Immediate, by induction. 
Case: 7) 


4; I F, a; :[ 7 j] cr I- e : T R / □ 


H I) 


By induction, there exists 
such that 

By inversion on the subtype relation, we have 
and we are done, since 


0; $ I F h A(a: -.[r] a).e : Irjcr ^ r 
; $ ^ F,® :[_R] cr C F',a; : !fl/cr and $ |= r'C r 
I r',* :[_R/] cr hs e : r'. 

0 ; d? 1 = R > R'at A t' C r. 


</<;«> and $ |= F C F'. 

/>; $ I F, 2 : :[_R.] cr hs e : r <)>; O |= R > R*^t 


A; $ I F hs A(a; :yRy cr). e : Iflcr -o r 


H I) 
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Case: (-<= E) 


6 ; $ I r h ei : lijcr —or $ | A h 62 : (T 


H E) 


0; $ I r + i? • A h Cl 62 : r 
By induction, there exists F', A', _R', cr', r', a" such that 

0; $ 1= r c r' 

-I- ^ A C A' 

\= lij'cr' ^ r' C !hct ^ r 

4 >\ N E O': 

and derivations 

(/>; d? I r' hs 61 : \rio' —o t' and (?i; $ | A' hs 62 : cr”. 

By inversion on the subtype relation, we have 

(j)', ^ \= R > B! and 0; $ |= a” C cr C a' and d? ^ r^ C r. 

By Lemma 27, the environment F' + i?' • A' and subtype r' suffice. 

Case: (VJ) 

0, i:K;d?|FI- 6 :cr i fresh in $, F 


By induction, there exist 
such that 

Thus, we have the derivation 
and 

By Lemma 27, we actually have 


(/); $ I F h Ai : K.. 6 : Vi : K. (T ^ 

ii, i : k; d? 1= C (j and i : ft; $ ^ F C F^ 

0, i : ft; <f> I F^ I -5 6 : aV 
0; 3> I sup(i, F^) I -5 Ai : ft. 6 : Vi : ft. a' 

0; d? ^ Vi : ft. (T^ C Vi : ft. a. 


</>;<!> 1= F C sup(i,F') C F', 

so the environment sup(i, F') and subtype Vi : ft. a' suffices. 

Case: {\/E) 


/);<f>|FI- 6 :Vi:ft. a (j) \= S : K 


(V£) 


By induction, there exists 
such that 

So, we have a derivation 
By Lemma 28, 


0; $ I F h 6 [S] : cr[5/i] 
i>; -F ^ F C F' and 0; <F |= Vi : ft. cr' C Vi : ft. a 
(/); $ I F^ hs 6 : Vi : ft. o'. 

I F" hs 6 [S/i] : cr'[S'/i]. 

(t>\^ 1= cr'[S/i] C cr[S'/i], 


so the environment F' and subtype G'[S/i] suffice. 
Case: (Fix) 


6 ; <F I F, a: :[oo] O' V 6 : (T 


(Fix) 


By induction, we have 
such that 


((); d? I 00 • F h fix X ■. a. e ■. (j 
A; d? 1= F, a; : Ic^cr C F^, a; : liter and (j)\ ^ \= a' E a 


\T',x liter hs 6 : er'. 

We can then conclude by (Fix): the desired environment is 00 • F' and the desired type is a. 

Case: (N E) 

.(); $ I A h 6 : N[S] = 0 I Fh 60 : cr 

<(), i : n; 3>, S' = i + 1 I F, n :[it] N[i] h 6 s : cr i#7? 7? yf □ 

((); d? I F + 7Z ■ A h case e return er of 0 ^ 60 | n[i] + 1 ^ 6s : er 


(N E) 
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By induction, there exists 


0;$^ACA' and </>; <E> | A'hs e : N[S"] and </>; $ |= NIS"] C N[S']. 
By inversion, (p; ^ \= S = S'. Also by induction, 

0;$,s = o|=rcr^ 

0 , i : n; 5- = i + 1 h r, n : !flN[i] C n : !fl,N[i] 

(j}',^,S = 0\=a'Q^a 

0, i : n; 3>, 5" = i + 1 ^ CTg C (T 

such that 

S' = 0 I To hs eo : (Jq 

i : n;<E>,S = i + 1 I r',n ; !ij/N[i] hs Cs : fr'. 

By Lemma 30, we also have derivations 

^ 6 ; -L, S' = 0 I r^, hs eo : a'o 

i : n; <1>, s' = i + 1 I r',n : !ij/N[z] hs Cs : (t' 

since 0; <!' |= S = S'. 

Hence, we have a derivation 

<p- $ I case(S', i, To, Ll) + R‘ ■ A' 

I -5 case e return (7 of 0 =;> eo | n[i] + 1 => Cs : cr, 
where R‘ is case(S', i, 0, i?'D-|-). We have 

0;3.,S' = O|=case(S',i,r^,r;)cr^, 
i : n; $, s' = i + 1 1= case(S', i, Lq, L',) C 


so by Lemma 27 
and 

thanks to 77 7 ^ □. 

By weakening, we have 


^rCcase(S',i,rJ„r;), 

</), i : n; $, s' = i + 1 ^ i? > R‘ > R'at </>, ' 3 ? |= 77 > i?* 


(/>; $ I A' 1-5 e : N[S'] 

d?, S = 0 I case(S', i, Fq, F' ) l-5eo:cr 
(/!>, i : n; <E>, s' = i + 1 | case(S', i, Fq, F' ), n : !fl»N[z] hs : a, 

so we can conlude with (N E). The environment case(S', i, Fq, F^) + 77* • A' and type a suffice (recall that <(); <l> |= 77 > 77*, and 
<?!); d? ^ 77 • A C 77* ■ A' by Lemma 26). 


□ 


D.l Algorithm Proofs 

Theorem 33 (Algorithmic Soundness). Suppose 0; d?; F*; e ==^ F; a. Then, there is a derivation ofcp', 4>; F hs e ; ct. 


Proof. By induction on the algorithmic derivations we see that every algorithmic step has an exact correspondence with a syntax-directed 
derivation. We do a few representative cases: 


Case (Var) 


Case (-<= E) 


((); <f>; F*, a; : a\x =4> Ectx(F*), x :[i] a\ a 


(Var) 


0; $ I Ectx(F*), X -.[i] a \-s X : a 


(Var) 


((>;$; F*; ei F; -<= r 
0; $; A*; 62 => A; a' 

0; $ 1^ g' C g 

<(.;-F;F*;ei 62 F + 77-A;r '' '' 


0 ; $ I F 1-5 61 : !flg ^ r 
((); d? I A I-5 62 : g' <(>; d? ^ g' C g 
((1; T> I F + 77 • A I-5 61 62 : T 


H E) 


PREPRINT 


20 


2015/3/17 






Case {<^E) 


4>\ r*; e => A; cr ® T 

</>;■!»; r*,a; : a, y : r; e' =» F, a; a,y t; 

(j>; $; r*; let(x, y) = e in e' F + max(i?in^, R 2 nr) ' 

4>;^ \ A\-s e : a0T 0; <F | F, a: a, y t\-s e : 

<;/);$ I F + max(i?i^^, R2nt) ' ^ let(a;, y) = e in e' : /i 


{<»E) 

i0E) 


Theorem 34 (Algorithmic Completeness). Suppose </);$; F hs e : cr ii- derivable. Then 0; <1?; F*; e => F; a. 

Proof. By induction on the syntax-directed derivation. The proof is mostly direct, we show a few representative cases. 
Case (-0 E) 

((); "F I F hs ei ; \r(t -~o t 

\ A\-s €2 ■ cr' </>; ■!» 1= cr' C g 

0; <h I F + i? • A I -5 ei 62 : T 

By induction, we have derivations 

(;(i;<f>;F*;ei F; !_r(j ^ r and <1>; A*; 62 => A; a'. 

Note that F* = A* for the syntax-directed derivation to be defined, so we can apply the algorithmic rule E): 

0; 'F; F*; 61 => F; !hct ^ r 
(f>\ "F; A*; 62 A; a' 

H E) 


; -F h cr' C a 


Case (Fix) 


f; F*; 61 62 => F + R - A;t 
6; $ I F, a; :[u] cr hs 6 : a' </>; $ |= cr' C a 


By induction, we have 

and we can apply the algorithm rule (Fix): 


6 ; $ I 00 • F I -5 fix X : a. e : a 
0; $; F*, a; : a; 6 => F, x :[ij] a; a' 


(Fix) 


6 ;cE-;F*,a; : (j;6 => F,a; :[/{] a-, a' 

(f)-, $ \= a' O a 


(Fb 


Case {(SiE) 


4>’, F*; fix a; : a. e : a 00 • F; u 

<)); $ I A hg 6 : (T (g) r 0; $ | F, a: a, y t\-s e : p 

0; <F I F + max(i?ia.|., R2nr) ' ^ let(a;, y) = e in e' : p 
We know that F* = A*. By induction, we know that: 

<));<F;F*;6 A\a[ ® a '2 

,xi : (71 ,®2 : cr 2 \e => F,a: :[r^] ai,y :[U 2 ] cr 2 ;r 
and we know f; <F |= cti C (ti A (T 2 C ( 72 , so we apply the algorithmic case ((g) f?): 

4>’, $; F*; 6 A; (7 (g) T 

4>;^-,T‘,x : a,y : T-e' r,x a,y t; p 
f; $; F*; let(a;, y) = 6 in e => F + max(i?in.|., i? 2 Dt) ' P 


i(E)E) 


{(8)E) 


Case (N E) 


<)>; <F I A hs 6 : N[S] <)>;$,S = 0|Fohs6o:(7o 
()>, i : n; S' = i -f 1 I Fs, n :[u] N[f] hs Cs : as 
(>; <F, S = 0 1= (70 C a ()), i : n; <F, S = i -I- 1 |= (7* C cr 


(j>; "F I case(S, i, Fo, Fs) + case(S, i, 0, i?nt) ' ^ Fs case 6 return (7 of 0 => 60 | n[i] + 1 ^ Cs : a 
We know that F* = A*. By induction, we know that: 

,));<F;F*; 6 =^ A;N[S] 

(?);$, S = 0; F*; 60 Fo; ao 

()), i : n;<F,S = i-f l;F*,a; : N[i]; 6 s Fs,a; :[/{/] N[i];( 7 s 


□ 


(N E) 
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and we know 


5 = 0 ^ (To C (j and (p,i ■. n-,$, S = i + 1 \= Q a. 
We can conclude with the algorithmic rule (N E): 

(^;<E>;r*;e=^ A;N[S] S = 0; T*; eo ^ To; ao 

(/), i : n;$,5 = i + l;r*, 2 : : N[i];es Fs,® :[h'] N[i];CTs 
(;A; $, S' = 0 1= (To C a (/>, i : n; $, S = i + 1 |= (t^ C (T 


i; $; r*; case e returner of 0 i—^ eo | X[i] + 1 i—^ Bs 
=4> case(S, Fo, i, Fs) + case(S, 0, i, R'at) • 


(N E) 


□ 


E. Minimal Types 

Lemma 35. DFuzz does not have minimal types. 

Proof. Using dependent recursion, we can define a function use : Vi : n. !oN[i] ^ !iK ^ R that multiplies a real number by a natural 
number. Consider the following term e: 

Ai : n. Ae : N[i], x : R. {x, use[i] e x + use[i] e x). 

Evidently, the minimal type should have the form 

0; 0 I 0 h e : Vi : n. !oN[i] ^ !,R ^ R & R 

for some sensitivity expression q. What should q be? Note that q(i) can be a priori a polynomial in i with positive, real coefficients. By 
inspecting the typing rules, we find that 

i : n; 0 ^ q{i) > 1 A q{i) > 2i. 

Furthermore, the subtyping judgments show that 

Vi : n. !oN[i] ^ !aR ^ R & R U Vi : n. !oN[i] ^ !i,R ^ R & R 

is equivalent to i : n; 0 ^ a < 6 . Suppose that q{i) is the minimal such polynomial for the sensitivity in the type of e. If the degree of q is 
strictly greater than 1, then the polynomial 2i + 1 satisfies 2i + 1 > 1 A 2i + 1 > 2i, and is eventually smaller than q for large i (since q has 
higher degree and has non-negative coefficients). 

On the other hand, q can’t have degree 0 since it must be larger than 2i for all i. If q has degree 1, then its leading coefficient must be at 
least 2. Now, the polynomial i^ + 1 satisfies -F 1 > 1 A + 1 > 2i. Finally, note 

q > 2 i -F 1 > -F 1 

for i € {0,1}. Hence, there is no minimal sensitivity q, and hence no minimal type for e. □ 

F. Auxiliary Lemmas 

Lemma 36 (Standard Annotations). Assume annotations in a term e range over regular sensitivities and (j); $ | F I -5 e : (t. Then: 

• a has no extended sensitivities; and 

• all the constraints are of the form f', ^ \= R > R' where R is a standard sensitivity term. 

This directly implies Lemma 11. 

Proof. The first point is clear by inspecting the rules in Figure 8: by induction, the type of any expression has only regular sensitivities. The 
second point is also clear: in all subtype checks in Figure 8, both types have no extended sensitivities by the first point. The only place where 
we check against an extended sensitivity is in rule I), with constraint 

R> R!. 

Here, the J? is a standard sensitivity term since it is an annotation, but the R' may be an extended sensitivity. □ 

Lemma 37 (Constraint Simplification). Suppose Q 1 — Q', and suppose <f)\- Q and (j)\- Q'. Then, for any standard valuation p £ va I ((/)), we 
have dQDp = 

Proof. By induction on the derivation of Q 1 — Q'. The cases Plus, Mult and Red are immediate by induction. The other cases all follow by 
the semantics of club. 

Case Flat: The semantics of Q under valuation p is equivalent to the larger of 

max{max{|[7?i]pup'up" I 1= p'} I 0; ^ N p) 

P 

and N = (|club{V}Dp. The first expression can be seen to be 

M = max {|7?il|pup'up" I 4>, A -Fi |= p , p'}, 

t,p' ,p" 

and the semantics of Q' under the valuation can be seen to be max(M, A^), as desired. 
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Case CPlus: The interpretation of Q under valuation p is 

maxmax{|[7?i]]pup, I N Pi) + maxmax{|[_R'|pLip' I 1= p'j} 


The first maximum is achieved at some i *, and the second maximum is achieved at j*. Then, 

max{|[7?i.l|pupi | \= pi} + max{lRj4pup'- I \= p'j} 

is at most 

max{|[7?i. + -Rj-.IpupiUp' I , ft>'r \ A N Pi, Pj} < (|club{(0i U 0'; T>i A ; i?i + -RjOli^Dp 
since (j>i* , (j)j* are assumed to be disjoint. For the reverse direction, consider the semantics of Q': 

maxmax{|[i?, + R'jjpupiUp’. I 4>i, <i>i\ ^i A |= Pi, p' } 


If there are no valuations such that (fit U ‘^’i A "Fj |= pi, p}, then we are done (we’ve defined the max of an empty set to be 0). If the 
maximum is achieved at some p, p' at i*, j*, then we know (j>i* ; i&i* |= p and (j>j» ; |= p' , when the maximum is at most dQDp. 

Case CMult: This case follows like the previous case. 


□ 
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